Azure Policy Regulatory Compliance controls for Azure Virtual Machines

  • Article

Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets ✔️ Uniform scale sets

Regulatory Compliance in Azure Policy provides Azure created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure Virtual Machines . You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

Important

Each control is associated with one or more Azure Policy definitions. These policies might help you assess compliance with the control. However, there often isn't a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves. This doesn't ensure that you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards can change over time.

Azure Security Benchmark

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

Domain Control ID Control Title Policy
(Azure portal)		 Policy Version
(GitHub)
Network Security 1.1 Protect resources using Network Security Groups or Azure Firewall on your Virtual Network Adaptive Network Hardening recommendations should be applied on internet facing virtual machines 1.0.0
Network Security 1.1 Protect resources using Network Security Groups or Azure Firewall on your Virtual Network Internet-facing virtual machines should be protected with network security groups 1.1.0
Network Security 1.1 Protect resources using Network Security Groups or Azure Firewall on your Virtual Network IP Forwarding on your virtual machine should be disabled 1.0.1
Network Security 1.1 Protect resources using Network Security Groups or Azure Firewall on your Virtual Network Management ports of virtual machines should be protected with just-in-time network access control 1.0.1
Network Security 1.1 Protect resources using Network Security Groups or Azure Firewall on your Virtual Network Management ports should be closed on your virtual machines 1.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' 1.1.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' 1.2.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' 1.2.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' 1.2.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Show audit results from Windows VMs configurations in 'Administrative Templates - Network' 1.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client' 1.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server' 1.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Show audit results from Windows VMs configurations in 'Security Options - Network Security' 1.0.0
Network Security 1.4 Deny communications with known malicious IP addresses Adaptive Network Hardening recommendations should be applied on internet facing virtual machines 1.0.0
Network Security 1.4 Deny communications with known malicious IP addresses Management ports of virtual machines should be protected with just-in-time network access control 1.0.1
Logging and Monitoring 2.2 Configure central security log management Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected 1.2.0
Logging and Monitoring 2.2 Configure central security log management Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected 1.0.0
Logging and Monitoring 2.2 Configure central security log management The Log Analytics agent should be installed on Virtual Machine Scale Sets 1.0.0
Logging and Monitoring 2.2 Configure central security log management The Log Analytics agent should be installed on virtual machines 1.0.0
Logging and Monitoring 2.3 Enable audit logging for Azure resources Diagnostic logs in Virtual Machine Scale Sets should be enabled 1.0.0
Logging and Monitoring 2.4 Collect security logs from operating systems Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected 1.2.0
Logging and Monitoring 2.4 Collect security logs from operating systems Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected 1.0.0
Logging and Monitoring 2.4 Collect security logs from operating systems The Log Analytics agent should be installed on Virtual Machine Scale Sets 1.0.0
Logging and Monitoring 2.4 Collect security logs from operating systems The Log Analytics agent should be installed on virtual machines 1.0.0
Logging and Monitoring 2.8 Centralize anti-malware logging Endpoint protection solution should be installed on virtual machine scale sets 1.0.0
Logging and Monitoring 2.8 Centralize anti-malware logging Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
Logging and Monitoring 2.8 Centralize anti-malware logging Monitor missing Endpoint Protection in Azure Security Center 1.0.0
Identity and Access Control 3.3 Use dedicated administrative accounts Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members 1.2.0
Identity and Access Control 3.3 Use dedicated administrative accounts Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members 1.2.0
Identity and Access Control 3.3 Use dedicated administrative accounts Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members 1.2.0
Identity and Access Control 3.3 Use dedicated administrative accounts Show audit results from Windows VMs in which the Administrators group contains any of the specified members 1.0.0
Identity and Access Control 3.3 Use dedicated administrative accounts Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members 1.0.0
Identity and Access Control 3.3 Use dedicated administrative accounts Show audit results from Windows VMs in which the Administrators group does not contain only the specified members 1.0.0
Data Protection 4.8 Encrypt sensitive information at rest Disk encryption should be applied on virtual machines 1.0.0
Data Protection 4.8 Encrypt sensitive information at rest Unattached disks should be encrypted 1.0.0
Vulnerability Management 5.1 Run automated vulnerability scanning tools Vulnerability assessment should be enabled on virtual machines 1.0.1
Vulnerability Management 5.2 Deploy automated operating system patch management solution System updates on virtual machine scale sets should be installed 1.0.0
Vulnerability Management 5.2 Deploy automated operating system patch management solution System updates should be installed on your machines 1.0.0
Vulnerability Management 5.5 Use a risk-rating process to prioritize the remediation of discovered vulnerabilities Vulnerabilities in container security configurations should be remediated 1.0.0
Vulnerability Management 5.5 Use a risk-rating process to prioritize the remediation of discovered vulnerabilities Vulnerabilities in security configuration on your machines should be remediated 1.0.0
Vulnerability Management 5.5 Use a risk-rating process to prioritize the remediation of discovered vulnerabilities Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 1.0.0
Vulnerability Management 5.5 Use a risk-rating process to prioritize the remediation of discovered vulnerabilities Vulnerabilities should be remediated by a Vulnerability Assessment solution 1.0.0
Inventory and Asset Management 6.10 Implement approved application list Adaptive application controls for defining safe applications should be enabled on your machines 1.0.2
Inventory and Asset Management 6.8 Use only approved applications Adaptive application controls for defining safe applications should be enabled on your machines 1.0.2
Inventory and Asset Management 6.9 Use only approved Azure services Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Secure Configuration 7.10 Implement automated configuration monitoring for operating systems Vulnerabilities in container security configurations should be remediated 1.0.0
Secure Configuration 7.10 Implement automated configuration monitoring for operating systems Vulnerabilities in security configuration on your machines should be remediated 1.0.0
Secure Configuration 7.10 Implement automated configuration monitoring for operating systems Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 1.0.0
Secure Configuration 7.4 Maintain secure operating system configurations Vulnerabilities in container security configurations should be remediated 1.0.0
Secure Configuration 7.4 Maintain secure operating system configurations Vulnerabilities in security configuration on your machines should be remediated 1.0.0
Secure Configuration 7.4 Maintain secure operating system configurations Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 1.0.0
Malware Defense 8.1 Use centrally managed anti-malware software Endpoint protection solution should be installed on virtual machine scale sets 1.0.0
Malware Defense 8.1 Use centrally managed anti-malware software Monitor missing Endpoint Protection in Azure Security Center 1.0.0
Malware Defense 8.3 Ensure anti-malware software and signatures are updated Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
Data Recovery 9.1 Ensure regular automated back ups Azure Backup should be enabled for Virtual Machines 1.0.0
Data Recovery 9.2 Perform complete system backups and backup any customer managed keys Azure Backup should be enabled for Virtual Machines 1.0.0

CIS Microsoft Azure Foundations Benchmark

For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control Title Policy
(Azure portal)		 Policy Version
(GitHub)
Security Center 2.3 Ensure ASC Default policy setting "Monitor System Updates" is not "Disabled" System updates should be installed on your machines 1.0.0
Security Center 2.4 Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled" Vulnerabilities in security configuration on your machines should be remediated 1.0.0
Security Center 2.5 Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" Monitor missing Endpoint Protection in Azure Security Center 1.0.0
Security Center 2.6 Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" Disk encryption should be applied on virtual machines 1.0.0
Security Center 2.7 Ensure ASC Default policy setting "Monitor Network Security Groups" is not "Disabled" Adaptive Network Hardening recommendations should be applied on internet facing virtual machines 1.0.0
Security Center 2.9 Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled" Internet-facing virtual machines should be protected with network security groups 1.1.0
Security Center 2.10 Ensure ASC Default policy setting "Monitor Vulnerability Assessment" is not "Disabled" Vulnerabilities should be remediated by a Vulnerability Assessment solution 1.0.0
Security Center 2.12 Ensure ASC Default policy setting "Monitor JIT Network Access" is not "Disabled" Management ports of virtual machines should be protected with just-in-time network access control 1.0.1
Security Center 2.13 Ensure ASC Default policy setting "Monitor Adaptive Application Whitelisting" is not "Disabled" Adaptive application controls for defining safe applications should be enabled on your machines 1.0.2
Virtual Machines 7.1 Ensure that 'OS disk' are encrypted Disk encryption should be applied on virtual machines 1.0.0
Virtual Machines 7.2 Ensure that 'Data disks' are encrypted Disk encryption should be applied on virtual machines 1.0.0
Virtual Machines 7.3 Ensure that 'Unattached disks' are encrypted Unattached disks should be encrypted 1.0.0
Virtual Machines 7.4 Ensure that only approved extensions are installed Only approved VM extensions should be installed 1.0.0
Virtual Machines 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied System updates should be installed on your machines 1.0.0
Virtual Machines 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Monitor missing Endpoint Protection in Azure Security Center 1.0.0

NIST SP 800-171 R2

For more information about this compliance standard, see NIST SP 800-171 R2.

Domain Control ID Control Title Policy
(Azure portal)		 Policy Version
(GitHub)
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords 3.0.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Show audit results from Linux VMs that allow remote connections from accounts without passwords 3.0.0
Access Control 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members 1.2.0
Access Control 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members 1.2.0
Access Control 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Show audit results from Windows VMs in which the Administrators group contains any of the specified members 1.0.0
Access Control 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members 1.0.0
Access Control 3.1.12 Monitor and control remote access sessions. Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords 3.0.0
Access Control 3.1.12 Monitor and control remote access sessions. Show audit results from Linux VMs that allow remote connections from accounts without passwords 3.0.0
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 1.0.0-preview
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Audit Log Analytics workspace for VM - Report Mismatch 1.0.1
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. The Log Analytics agent should be installed on Virtual Machine Scale Sets 1.0.0
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. The Log Analytics agent should be installed on virtual machines 1.0.0
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 1.0.0-preview
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. Audit Log Analytics workspace for VM - Report Mismatch 1.0.1
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. The Log Analytics agent should be installed on Virtual Machine Scale Sets 1.0.0
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. The Log Analytics agent should be installed on virtual machines 1.0.0
Configuration Management 3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Adaptive application controls for defining safe applications should be enabled on your machines 1.0.2
Configuration Management 3.4.8 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. Adaptive application controls for defining safe applications should be enabled on your machines 1.0.2
Configuration Management 3.4.9 Control and monitor user-installed software. Adaptive application controls for defining safe applications should be enabled on your machines 1.0.2
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Deploy prerequisites to audit Linux VMs that have accounts without passwords 3.0.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Show audit results from Linux VMs that have accounts without passwords 3.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Deploy prerequisites to audit Linux VMs that have accounts without passwords 3.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled 1.2.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters 1.2.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Show audit results from Linux VMs that have accounts without passwords 3.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Show audit results from Windows VMs that do not have the password complexity setting enabled 1.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters 1.0.0
Identification and Authentication 3.5.8 Prohibit password reuse for a specified number of generations. Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords 1.2.0
Identification and Authentication 3.5.8 Prohibit password reuse for a specified number of generations. Show audit results from Windows VMs that allow re-use of the previous 24 passwords 1.0.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 3.0.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption 1.2.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 3.0.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Show audit results from Windows VMs that do not store passwords using reversible encryption 1.0.0
Risk Assessment 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Vulnerabilities in container security configurations should be remediated 1.0.0
Risk Assessment 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Vulnerabilities in security configuration on your machines should be remediated 1.0.0
Risk Assessment 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 1.0.0
Risk Assessment 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Vulnerabilities should be remediated by a Vulnerability Assessment solution 1.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Access through Internet facing endpoint should be restricted 1.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Adaptive Network Hardening recommendations should be applied on internet facing virtual machines 1.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Deploy prerequisites to audit Windows web servers that are not using secure communication protocols 1.2.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Show audit results from Windows web servers that are not using secure communication protocols 1.0.0
System and Communications Protection 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Access through Internet facing endpoint should be restricted 1.0.0
System and Communications Protection 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Adaptive Network Hardening recommendations should be applied on internet facing virtual machines 1.0.0
System and Communications Protection 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Internet-facing virtual machines should be protected with network security groups 1.1.0
System and Communications Protection 3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Deploy prerequisites to audit Windows web servers that are not using secure communication protocols 1.2.0
System and Communications Protection 3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Show audit results from Windows web servers that are not using secure communication protocols 1.0.0
System and Communications Protection 3.13.16 Protect the confidentiality of CUI at rest. Disk encryption should be applied on virtual machines 1.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. System updates on virtual machine scale sets should be installed 1.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. System updates should be installed on your machines 1.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Vulnerabilities in security configuration on your machines should be remediated 1.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 1.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Vulnerabilities should be remediated by a Vulnerability Assessment solution 1.0.0
System and Information Integrity 3.14.2 Provide protection from malicious code at designated locations within organizational systems. Endpoint protection solution should be installed on virtual machine scale sets 1.0.0
System and Information Integrity 3.14.2 Provide protection from malicious code at designated locations within organizational systems. Microsoft IaaSAntimalware extension should be deployed on Windows servers 1.0.0
System and Information Integrity 3.14.2 Provide protection from malicious code at designated locations within organizational systems. Monitor missing Endpoint Protection in Azure Security Center 1.0.0

NIST SP 800-53 R4

For more information about this compliance standard, see NIST SP 800-53 R4.

Domain Control ID Control Title Policy
(Azure portal)		 Policy Version
(GitHub)
Access Control AC-2 (12) Account Management | Account Monitoring / Atypical Usage Management ports of virtual machines should be protected with just-in-time network access control 1.0.1
Access Control AC-5 Separation of Duties Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members 1.2.0
Access Control AC-5 Separation of Duties Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members 1.2.0
Access Control AC-5 Separation of Duties Show audit results from Windows VMs in which the Administrators group contains any of the specified members 1.0.0
Access Control AC-5 Separation of Duties Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members 1.0.0
Access Control AC-6 (7) Least Privilege | Review of User Privileges Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members 1.2.0
Access Control AC-6 (7) Least Privilege | Review of User Privileges Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members 1.2.0
Access Control AC-6 (7) Least Privilege | Review of User Privileges Show audit results from Windows VMs in which the Administrators group contains any of the specified members 1.0.0
Access Control AC-6 (7) Least Privilege | Review of User Privileges Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members 1.0.0
Access Control AC-17 (1) Remote Access | Automated Monitoring / Control Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords 3.0.0
Access Control AC-17 (1) Remote Access | Automated Monitoring / Control Show audit results from Linux VMs that allow remote connections from accounts without passwords 3.0.0
Audit and Accountability AU-3 (2) Content of Audit Records | Centralized Management of Planned Audit Record Content [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 1.0.0-preview
Audit and Accountability AU-3 (2) Content of Audit Records | Centralized Management of Planned Audit Record Content Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
Audit and Accountability AU-3 (2) Content of Audit Records | Centralized Management of Planned Audit Record Content Audit Log Analytics workspace for VM - Report Mismatch 1.0.1
Audit and Accountability AU-6 (4) Audit Review, Analysis, and Reporting | Central Review and Analysis [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 1.0.0-preview
Audit and Accountability AU-6 (4) Audit Review, Analysis, and Reporting | Central Review and Analysis Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
Audit and Accountability AU-6 (4) Audit Review, Analysis, and Reporting | Central Review and Analysis Audit Log Analytics workspace for VM - Report Mismatch 1.0.1
Audit and Accountability AU-12 Audit Generation [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 1.0.0-preview
Audit and Accountability AU-12 Audit Generation Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
Audit and Accountability AU-12 Audit Generation Audit Log Analytics workspace for VM - Report Mismatch 1.0.1
Configuration Management CM-7 (2) Least Functionality | Prevent Program Execution Adaptive application controls for defining safe applications should be enabled on your machines 1.0.2
Configuration Management CM-7 (5) Least Functionality | Authorized Software / Whitelisting Adaptive application controls for defining safe applications should be enabled on your machines 1.0.2
Configuration Management CM-11 User-Installed Software Adaptive application controls for defining safe applications should be enabled on your machines 1.0.2
Contingency Planning CP-7 Alternate Processing Site Audit virtual machines without disaster recovery configured 1.0.0
Identification and Authentication IA-5 Authenticator Management Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 3.0.0
Identification and Authentication IA-5 Authenticator Management Deploy prerequisites to audit Linux VMs that have accounts without passwords 3.0.0
Identification and Authentication IA-5 Authenticator Management Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption 1.2.0
Identification and Authentication IA-5 Authenticator Management Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 3.0.0
Identification and Authentication IA-5 Authenticator Management Show audit results from Linux VMs that have accounts without passwords 3.0.0
Identification and Authentication IA-5 Authenticator Management Show audit results from Windows VMs that do not store passwords using reversible encryption 1.0.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords 1.2.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days 1.2.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day 1.2.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled 1.2.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters 1.2.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption 1.2.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Show audit results from Windows VMs that allow re-use of the previous 24 passwords 1.0.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Show audit results from Windows VMs that do not have a maximum password age of 70 days 1.0.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Show audit results from Windows VMs that do not have a minimum password age of 1 day 1.0.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Show audit results from Windows VMs that do not have the password complexity setting enabled 1.0.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters 1.0.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Show audit results from Windows VMs that do not store passwords using reversible encryption 1.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in security configuration on your machines should be remediated 1.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 1.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities should be remediated by a Vulnerability Assessment solution 1.0.0
System and Communications Protection SC-7 Boundary Protection Access through Internet facing endpoint should be restricted 1.0.0
System and Communications Protection SC-7 Boundary Protection Adaptive Network Hardening recommendations should be applied on internet facing virtual machines 1.0.0
System and Communications Protection SC-7 (3) Boundary Protection | Access Points Management ports of virtual machines should be protected with just-in-time network access control 1.0.1
System and Communications Protection SC-7 (4) Boundary Protection | External Telecommunications Services Management ports of virtual machines should be protected with just-in-time network access control 1.0.1
System and Communications Protection SC-8 (1) Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection Deploy prerequisites to audit Windows web servers that are not using secure communication protocols 1.2.0
System and Communications Protection SC-8 (1) Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection Show audit results from Windows web servers that are not using secure communication protocols 1.0.0
System and Communications Protection SC-28 (1) Protection of Information at Rest | Cryptographic Protection Disk encryption should be applied on virtual machines 1.0.0
System and Information Integrity SI-2 Flaw Remediation System updates on virtual machine scale sets should be installed 1.0.0
System and Information Integrity SI-2 Flaw Remediation System updates should be installed on your machines 1.0.0
System and Information Integrity SI-2 Flaw Remediation Vulnerabilities in security configuration on your machines should be remediated 1.0.0
System and Information Integrity SI-2 Flaw Remediation Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 1.0.0
System and Information Integrity SI-2 Flaw Remediation Vulnerabilities should be remediated by a Vulnerability Assessment solution 1.0.0
System and Information Integrity SI-3 Malicious Code Protection Endpoint protection solution should be installed on virtual machine scale sets 1.0.0
System and Information Integrity SI-3 Malicious Code Protection Monitor missing Endpoint Protection in Azure Security Center 1.0.0
System and Information Integrity SI-3 (1) Malicious Code Protection | Central Management Endpoint protection solution should be installed on virtual machine scale sets 1.0.0
System and Information Integrity SI-3 (1) Malicious Code Protection | Central Management Monitor missing Endpoint Protection in Azure Security Center 1.0.0
System and Information Integrity SI-4 Information System Monitoring [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 1.0.0-preview
System and Information Integrity SI-4 Information System Monitoring Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
System and Information Integrity SI-4 Information System Monitoring Audit Log Analytics workspace for VM - Report Mismatch 1.0.1

Next steps