Azure.All

March 30, 2026 ยท View on GitHub

Includes all Azure rules.

Rules

The following rules are included within the Azure.All baseline.

This baseline includes a total of 534 rules.

NameSynopsisSeverity
Azure.ACI.NamingContainer Instance resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.ACR.AdminUserThe local admin account allows depersonalized access to a container registry using a shared secret.Critical
Azure.ACR.AnonymousAccessAnonymous pull access allows unidentified downloading of images and metadata from a container registry.Important
Azure.ACR.AuditLogsEnsure container registry audit diagnostic logs are enabled.Important
Azure.ACR.ContainerScanContainer images or their base images may have vulnerabilities discovered after they are built.Critical
Azure.ACR.ContentTrustDocker content trust allows images to be signed and verified when pulled from a container registry.Important
Azure.ACR.ExportPolicyExport policy on Azure container registry may allow artifact exfiltration.Important
Azure.ACR.FirewallContainer Registry without restrictions can be accessed from any network location including the Internet.Important
Azure.ACR.GeoReplicaApplications or infrastructure relying on a container image may fail if the registry is not available at the time they start.Important
Azure.ACR.ImageHealthRemove container images with known vulnerabilities.Critical
Azure.ACR.MinSkuThe Basic SKU provides limited performance and features for production container registry workloads.Important
Azure.ACR.NameContainer registry names should meet naming requirements.Awareness
Azure.ACR.NamingContainer Registry resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.ACR.QuarantineEnable container image quarantine, scan, and mark images as verified.Important
Azure.ACR.ReplicaLocationThe replication location determines the country or region where container images and metadata are stored and processed.Important
Azure.ACR.RetentionUse a retention policy to cleanup untagged manifests.Important
Azure.ACR.SoftDeleteContainer registry artifacts are permanently lost when accidentally deleted without soft delete protection.Important
Azure.ACR.UsageRegularly remove deprecated and unneeded images to reduce storage usage.Important
Azure.ADX.DiskEncryptionUse disk encryption for Azure Data Explorer (ADX) clusters.Important
Azure.ADX.ManagedIdentityConfigure Data Explorer clusters to use managed identities to access Azure resources securely.Important
Azure.ADX.PublicAccessAzure Data Explorer (ADX) clusters should have public network access disabled.Critical
Azure.ADX.SLAUse SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters.Important
Azure.ADX.UsageRegularly remove unused resources to reduce costs.Important
Azure.AI.DisableLocalAuthAccess keys allow depersonalized access to Azure AI using a shared secret.Important
Azure.AI.FoundryNamingAzure AI Foundry accounts without a standard naming convention may be difficult to identify and manage.Awareness
Azure.AI.ManagedIdentityConfigure managed identities to access Azure resources.Important
Azure.AI.PrivateEndpointsUse Private Endpoints to access Azure AI services accounts.Important
Azure.AI.PublicAccessRestrict access of Azure AI services to authorized virtual networks.Important
Azure.AKS.AuditAdminUse kube-audit-admin instead of kube-audit to capture administrative actions in AKS clusters.Important
Azure.AKS.AuditLogsAKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.Important
Azure.AKS.AuthorizedIPsRestrict access to API server endpoints to authorized IP addresses.Important
Azure.AKS.AutoScalingUse autoscaling to scale clusters based on workload requirements.Important
Azure.AKS.AutoUpgradeNew versions of Kubernetes are released regularly. Upgrading each release manually can add operational overhead without realizing equivalent value.Important
Azure.AKS.AvailabilityZoneAKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability.Important
Azure.AKS.AzurePolicyAddOnConfigure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes.Important
Azure.AKS.AzureRBACUse Azure RBAC for Kubernetes Authorization with AKS clusters.Important
Azure.AKS.CNISubnetSizeAKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues.Important
Azure.AKS.ContainerInsightsEnable Container insights to monitor AKS cluster workloads.Important
Azure.AKS.DefenderProfileEnable the Defender profile with Azure Kubernetes Service (AKS) cluster.Important
Azure.AKS.DNSPrefixAzure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.Awareness
Azure.AKS.EphemeralOSDiskAKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades.Important
Azure.AKS.HttpAppRoutingDisable HTTP application routing add-on in AKS clusters.Important
Azure.AKS.LocalAccountsEnforce named user accounts with RBAC assigned permissions.Important
Azure.AKS.MaintenanceWindowConfigure customer-controlled maintenance windows for AKS clusters.Important
Azure.AKS.ManagedAADUse AKS-managed Azure AD to simplify authorization and improve security.Important
Azure.AKS.ManagedIdentityConfigure AKS clusters to use managed identities for managing cluster infrastructure.Important
Azure.AKS.MinNodeCountAKS clusters should have minimum number of system nodes for failover and updates.Important
Azure.AKS.MinUserPoolNodesUser node pools in an AKS cluster should have a minimum number of nodes for failover and updates.Important
Azure.AKS.NameAzure Kubernetes Service (AKS) cluster names should meet naming requirements.Awareness
Azure.AKS.NamingAKS cluster resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.AKS.NetworkPolicyAKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.Important
Azure.AKS.NodeAutoUpgradeOperating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.Important
Azure.AKS.NodeMinPodsAzure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.Important
Azure.AKS.PlatformLogsAKS clusters should collect platform diagnostic logs to monitor the state of workloads.Important
Azure.AKS.PoolScaleSetDeploy AKS clusters with nodes pools based on VM scale sets.Important
Azure.AKS.PoolVersionAKS node pools should match Kubernetes control plane version.Important
Azure.AKS.SecretStoreDeploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.Important
Azure.AKS.SecretStoreRotationEnable autorotation of Secrets Store CSI Driver secrets for AKS clusters.Important
Azure.AKS.StandardLBAzure Kubernetes Clusters (AKS) should use a Standard load balancer SKU.Important
Azure.AKS.SystemPoolNamingAKS system node pool resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.AKS.UptimeSLAAKS clusters should have Uptime SLA enabled for a financially backed SLA.Important
Azure.AKS.UseRBACDeploy AKS cluster with role-based access control (RBAC) enabled.Important
Azure.AKS.UserPoolNamingAKS user node pool resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.AKS.VersionOlder versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support.Important
Azure.Alert.HighFrequencyQueryHigh frequency scheduled queries are changed as a higher rate than low frequency queries.Important
Azure.Alert.MetricAutoMitigateAlerts that require manual intervention for mitigation can lead to increased personnel time and effort.Important
Azure.APIM.APIDescriptorsAPIs should have a display name and description.Awareness
Azure.APIM.AvailabilityZoneAPI Management instances should use availability zones in supported regions for high availability.Important
Azure.APIM.CertificateExpiryRenew certificates used for custom domain bindings.Important
Azure.APIM.CiphersAPI Management should not accept weak or deprecated ciphers for client or backend communication.Critical
Azure.APIM.CORSPolicyAvoid using wildcard for any configuration option in CORS policies.Important
Azure.APIM.DefenderCloudAPIs published in Azure API Management should be onboarded to Microsoft Defender for APIs.Critical
Azure.APIM.EncryptValuesEncrypt all API Management named values with Key Vault secrets.Important
Azure.APIM.HTTPBackendUnencrypted communication could allow disclosure of information to an untrusted party.Critical
Azure.APIM.HTTPEndpointUnencrypted communication could allow disclosure of information to an untrusted party.Important
Azure.APIM.ManagedIdentityConfigure managed identities to access Azure resources.Important
Azure.APIM.MinAPIVersionAPI Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer.Important
Azure.APIM.MultiRegionEnhance service availability and resilience by deploying API Management instances across multiple regions.Important
Azure.APIM.MultiRegionGatewayAPI Management instances should have multi-region deployment gateways enabled.Important
Azure.APIM.NameAPI Management service names should meet naming requirements.Awareness
Azure.APIM.PolicyBaseBase element for any policy element in a section should be configured.Important
Azure.APIM.ProductApprovalConfigure products to require approval.Important
Azure.APIM.ProductDescriptorsAPI Management products should have a display name and description.Awareness
Azure.APIM.ProductSubscriptionConfigure products to require a subscription.Important
Azure.APIM.ProductTermsSet legal terms for each product registered in API Management.Important
Azure.APIM.ProtocolsAPI Management should only accept a minimum of TLS 1.2 for client and backend communication.Critical
Azure.APIM.SampleProductsAPI Management Services with default products configured may expose more APIs than intended.Awareness
Azure.AppConfig.AuditLogsEnsure app configuration store audit diagnostic logs are enabled.Important
Azure.AppConfig.DisableLocalAuthAccess keys allow depersonalized access to App Configuration using a shared secret.Important
Azure.AppConfig.GeoReplicaReplicate app configuration store across all points of presence for an application.Important
Azure.AppConfig.NameApp Configuration store names should meet naming requirements.Awareness
Azure.AppConfig.PurgeProtectConsider purge protection for app configuration store to ensure store cannot be purged in the retention period.Important
Azure.AppConfig.ReplicaLocationThe replication location determines the country or region where configuration data is stored and processed.Important
Azure.AppConfig.SecretLeakSecrets stored as key values in an App Configuration Store may be leaked to unauthorized users.Critical
Azure.AppConfig.SKUApp Configuration should use a minimum size of Standard.Important
Azure.AppGw.AvailabilityZoneApplication Gateway (App Gateway) should use availability zones in supported regions for improved resiliency.Important
Azure.AppGw.MigrateV2Use a Application Gateway v2 SKU.Important
Azure.AppGw.MigrateWAFPolicyMigrate to Application Gateway WAF policy.Critical
Azure.AppGw.MinInstanceApplication Gateways should use a minimum of two instances.Important
Azure.AppGw.MinSkuApplication Gateway should use a minimum instance size of Medium.Important
Azure.AppGw.NameApplication Gateways should meet naming requirements.Awareness
Azure.AppGw.OWASPApplication Gateway Web Application Firewall (WAF) should use OWASP 3.x rules.Important
Azure.AppGw.PreventionInternet exposed Application Gateways should use prevention mode to protect backend resources.Critical
Azure.AppGw.SSLPolicyApplication Gateway should only accept a minimum of TLS 1.2.Critical
Azure.AppGw.UseHTTPSApplication Gateways should only expose frontend HTTP endpoints over HTTPS.Critical
Azure.AppGw.UseWAFInternet accessible Application Gateways should use protect endpoints with WAF.Critical
Azure.AppGw.WAFEnabledApplication Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.Critical
Azure.AppGw.WAFRulesApplication Gateway Web Application Firewall (WAF) should have all rules enabled.Important
Azure.AppGwWAF.EnabledApplication Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.Critical
Azure.AppGwWAF.ExclusionsApplication Gateway Web Application Firewall (WAF) should have all rules enabled.Critical
Azure.AppGwWAF.PreventionModeUse protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.Critical
Azure.AppGwWAF.RuleGroupsApplication Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic.Critical
Azure.AppInsights.LocalAuthLocal authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier.Critical
Azure.AppInsights.NameAzure Resource Manager (ARM) has requirements for Application Insights resource names.Awareness
Azure.AppInsights.NamingApplication Insights resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.AppInsights.WorkspaceConfigure Application Insights resources to store data in a workspace.Important
Azure.AppService.AlwaysOnConfigure Always On for App Service apps.Important
Azure.AppService.ARRAffinityDisable client affinity for stateless services.Awareness
Azure.AppService.AvailabilityZoneDeploy app service plan instances using availability zones in supported regions to ensure high availability and resilience.Important
Azure.AppService.HTTP2Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency.Awareness
Azure.AppService.ManagedIdentityConfigure managed identities to access Azure resources.Important
Azure.AppService.MinPlanUse at least a Standard App Service Plan.Important
Azure.AppService.MinTLSApp Service should not accept weak or deprecated transport protocols for client-server communication.Critical
Azure.AppService.NETVersionConfigure applications to use newer .NET versions.Important
Azure.AppService.NodeJsVersionConfigure applications to use supported Node.js runtime versions.Important
Azure.AppService.PHPVersionConfigure applications to use newer PHP runtime versions.Important
Azure.AppService.PlanInstanceCountApp Service Plan should use a minimum number of instances for failover.Important
Azure.AppService.RemoteDebugDisable remote debugging on App Service apps when not in use.Important
Azure.AppService.UseHTTPSUnencrypted communication could allow disclosure of information to an untrusted party.Important
Azure.AppService.WebProbeConfigure and enable instance health probes.Important
Azure.AppService.WebProbePathConfigure a dedicated path for health probe requests.Important
Azure.AppService.WebSecureFtpWeb apps should disable insecure FTP and configure SFTP when required.Important
Azure.Arc.Kubernetes.DefenderDeploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.Important
Azure.Arc.Server.MaintenanceConfigUse a maintenance configuration for Arc-enabled servers.Important
Azure.ASE.AvailabilityZoneDeploy app service environments using availability zones in supported regions to ensure high availability and resilience.Important
Azure.ASE.MigrateV3Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2.Important
Azure.ASG.NameApplication Security Group (ASG) names should meet naming requirements.Awareness
Azure.Automation.AuditLogsEnsure automation account audit diagnostic logs are enabled.Important
Azure.Automation.EncryptVariablesAzure Automation variables should be encrypted.Important
Azure.Automation.ManagedIdentityEnsure Managed Identity is used for authentication.Important
Azure.Automation.PlatformLogsEnsure automation account platform diagnostic logs are enabled.Important
Azure.Automation.WebHookExpiryDo not create webhooks with an expiry time greater than 1 year (default).Awareness
Azure.AVD.ScheduleAgentUpdateDefine a windows for agent updates to minimize disruptions to users.Important
Azure.Bastion.NameBastion hosts should meet naming requirements.Awareness
Azure.BV.ImmutableEnsure immutability is configured to protect backup data.Important
Azure.CDN.EndpointNameAzure CDN Endpoint names should meet naming requirements.Awareness
Azure.CDN.HTTPUnencrypted communication could allow disclosure of information to an untrusted party.Important
Azure.CDN.MinTLSAzure CDN endpoints should reject TLS versions older than 1.2.Important
Azure.CDN.UseFrontDoorUse Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.Important
Azure.ContainerApp.APIVersionMigrate from retired API version to a supported version.Important
Azure.ContainerApp.AvailabilityZoneUse Container Apps environments that are zone redundant to improve reliability.Important
Azure.ContainerApp.DisableAffinityDisable session affinity to prevent unbalanced distribution.Awareness
Azure.ContainerApp.EnvNamingContainer App Environment resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.ContainerApp.ExternalIngressLimit inbound communication for Container Apps is limited to callers within the Container Apps Environment.Important
Azure.ContainerApp.HealthProbeContainer app ingress that uses HTTP should have HTTP health probes configured for liveness and readiness checks.Important
Azure.ContainerApp.InsecureEnsure insecure inbound traffic is not permitted to the container app.Important
Azure.ContainerApp.JobNamingContainer App Job resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.ContainerApp.ManagedIdentityEnsure managed identity is used for authentication.Important
Azure.ContainerApp.MinReplicasUse multiple replicas to remove a single point of failure.Important
Azure.ContainerApp.NameContainer Apps should meet naming requirements.Awareness
Azure.ContainerApp.NamingContainer App resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.ContainerApp.PublicAccessEnsure public network access for Container Apps environment is disabled.Important
Azure.ContainerApp.RestrictIngressIP ingress restrictions mode should be set to allow action for all rules defined.Important
Azure.ContainerApp.StorageUse of Azure Files volume mounts to persistent storage container data.Awareness
Azure.Cosmos.AccountNameCosmos DB account names should meet naming requirements.Awareness
Azure.Cosmos.AvailabilityZoneUse zone redundant Cosmos DB accounts in supported regions to improve reliability.Important
Azure.Cosmos.CassandraNamingCosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.Cosmos.ContinuousBackupEnable continuous backup on Cosmos DB accounts.Important
Azure.Cosmos.DatabaseNamingCosmos DB database resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.Cosmos.DefenderCloudEnable Microsoft Defender for Azure Cosmos DB.Critical
Azure.Cosmos.DisableMetadataWriteUse Entra ID identities for management place operations in Azure Cosmos DB.Important
Azure.Cosmos.GremlinNamingCosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.Cosmos.MinTLSCosmos DB accounts should reject TLS versions older than 1.2.Critical
Azure.Cosmos.MongoAvailabilityZoneUse zone redundant Cosmos DB vCore clusters in supported regions to improve reliability.Important
Azure.Cosmos.MongoEntraIDMongoDB vCore clusters should have Microsoft Entra ID authentication enabled.Critical
Azure.Cosmos.MongoNamingCosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.Cosmos.NoSQLLocalAuthAccess keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.Critical
Azure.Cosmos.NoSQLNamingCosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.Cosmos.PostgreSQLNamingCosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.Cosmos.PublicAccessAzure Cosmos DB should have public network access disabled.Critical
Azure.Cosmos.SLAUse a paid tier to qualify for a Service Level Agreement (SLA).Important
Azure.Cosmos.TableNamingCosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.Databricks.PublicAccessAzure Databricks workspaces should disable public network access.Critical
Azure.Databricks.SecureConnectivityUse Databricks workspaces configured for secure cluster connectivity.Critical
Azure.Databricks.SKUEnsure Databricks workspaces are non-trial SKUs for production workloads.Critical
Azure.DataFactory.VersionConsider migrating to DataFactory v2.Awareness
Azure.Defender.ApiEnable Microsoft Defender for APIs.Critical
Azure.Defender.AppServicesEnable Microsoft Defender for App Service.Critical
Azure.Defender.ArmEnable Microsoft Defender for Azure Resource Manager (ARM).Critical
Azure.Defender.ContainersEnable Microsoft Defender for Containers.Critical
Azure.Defender.CosmosDbEnable Microsoft Defender for Azure Cosmos DB.Critical
Azure.Defender.CspmEnable Microsoft Defender Cloud Security Posture Management Standard plan.Critical
Azure.Defender.DnsEnable Microsoft Defender for DNS.Critical
Azure.Defender.KeyVaultEnable Microsoft Defender for Key Vault.Critical
Azure.Defender.OssRdbEnable Microsoft Defender for open-source relational databases.Critical
Azure.Defender.SecurityContactImportant security notifications may be lost or not processed in a timely manner when a clear security contact is not identified.Important
Azure.Defender.ServersEnable Microsoft Defender for Servers.Critical
Azure.Defender.SQLEnable Microsoft Defender for SQL servers.Critical
Azure.Defender.SQLOnVMEnable Microsoft Defender for SQL servers on machines.Critical
Azure.Defender.StorageEnable Microsoft Defender for Storage.Critical
Azure.Defender.Storage.DataScanEnable sensitive data threat detection in Microsoft Defender for Storage.Critical
Azure.Defender.Storage.MalwareScanEnable Malware Scanning in Microsoft Defender for Storage.Critical
Azure.DefenderCloud.ActiveAlertsAlerts that have not received a response may indicate a security issue that requires attention.Important
Azure.DefenderCloud.ProvisioningEnable auto-provisioning on to improve Microsoft Defender for Cloud insights.Important
Azure.Deployment.AdminUsernameA sensitive property set from deterministic or hardcoded values is not secure.Awareness
Azure.Deployment.NameNested deployments should meet naming requirements of deployments.Awareness
Azure.Deployment.OuterSecretOuter evaluation deployments may leak secrets exposed as secure parameters into logs and nested deployments.Critical
Azure.Deployment.OutputSecretValueOutputting a sensitive value from deployment may leak secrets into deployment history or logs.Critical
Azure.Deployment.SecretLeakSensitive parameters that have been not been marked as secure may leak the secret into deployment history or logs.Critical
Azure.Deployment.SecureParameterSensitive parameters that have been not been marked as secure may leak the secret into deployment history or logs.Critical
Azure.Deployment.SecureValueA secret property set from a non-secure value may leak the secret into deployment history or logs.Critical
Azure.DevBox.ProjectLimitLimit the number of Dev Boxes a single user can create for a project.Important
Azure.DNS.DNSSECDNS may be vulnerable to several attacks when the DNS clients are not able to verify the authenticity of the DNS responses.Important
Azure.EntraDS.MinReplicasApplications or infrastructure relying on a managed domain may fail if the domain is not available.Important
Azure.EntraDS.NTLMDisable NTLM v1 for Microsoft Entra Domain Services.Critical
Azure.EntraDS.RC4Disable RC4 encryption for Microsoft Entra Domain Services.Critical
Azure.EntraDS.ReplicaLocationThe location of a replica set determines the country or region where the data is stored and processed.Important
Azure.EntraDS.SKUThe default SKU for Microsoft Entra Domain Services supports resiliency in a single region.Important
Azure.EntraDS.TLSDisable TLS v1 for Microsoft Entra Domain Services.Critical
Azure.EventGrid.DisableLocalAuthAuthenticate publishing clients with Azure AD identities.Important
Azure.EventGrid.DomainNamingEvent Grid domains without a standard naming convention may be difficult to identify and manage.Awareness
Azure.EventGrid.DomainTLSWeak or deprecated transport protocols for client-server communication introduce security vulnerabilities.Critical
Azure.EventGrid.ManagedIdentityUse managed identities to deliver Event Grid Topic events.Important
Azure.EventGrid.NamespaceTLSWeak or deprecated transport protocols for client-server communication introduce security vulnerabilities.Critical
Azure.EventGrid.SystemTopicNamingEvent Grid system topics without a standard naming convention may be difficult to identify and manage.Awareness
Azure.EventGrid.TopicNamingEvent Grid topics without a standard naming convention may be difficult to identify and manage.Awareness
Azure.EventGrid.TopicPublicAccessUse Private Endpoints to access Event Grid topics and domains.Important
Azure.EventGrid.TopicTLSWeak or deprecated transport protocols for client-server communication introduce security vulnerabilities.Critical
Azure.EventHub.AvailabilityZoneUse zone redundant Event Hub namespaces in supported regions to improve reliability.Important
Azure.EventHub.DisableLocalAuthAuthenticate Event Hub publishers and consumers with Entra ID identities.Important
Azure.EventHub.FirewallAccess to the namespace endpoints should be restricted to only allowed sources.Critical
Azure.EventHub.MinTLSWeak or deprecated transport protocols for client-server communication introduce security vulnerabilities.Critical
Azure.EventHub.UsageRegularly remove unused resources to reduce costs.Important
Azure.Firewall.AvailabilityZoneDeploy firewall instances using availability zones in supported regions to ensure high availability and resilience.Important
Azure.Firewall.ModeDeny high confidence malicious IP addresses and domains on classic managed Azure Firewalls.Critical
Azure.Firewall.NameFirewall names should meet naming requirements.Awareness
Azure.Firewall.PolicyModeDeny high confidence malicious IP addresses, domains and URLs.Critical
Azure.Firewall.PolicyNameFirewall policy names should meet naming requirements.Awareness
Azure.FrontDoor.LogsAudit and monitor access through Azure Front Door profiles.Important
Azure.FrontDoor.ManagedIdentityEnsure Front Door uses a managed identity to authorize access to Azure resources.Important
Azure.FrontDoor.MinTLSFront Door Classic instances should reject TLS versions older than 1.2.Critical
Azure.FrontDoor.NameFront Door names should meet naming requirements.Awareness
Azure.FrontDoor.ProbeUse health probes to check the health of each backend.Important
Azure.FrontDoor.ProbeMethodConfigure health probes to use HEAD requests to reduce performance overhead.Important
Azure.FrontDoor.ProbePathConfigure a dedicated path for health probe requests.Important
Azure.FrontDoor.StateEnable Azure Front Door Classic instance.Important
Azure.FrontDoor.UseCachingUse caching to reduce retrieving contents from origins.Important
Azure.FrontDoor.UseWAFEnable Web Application Firewall (WAF) policies on each Front Door endpoint.Critical
Azure.FrontDoor.WAF.EnabledFront Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.Critical
Azure.FrontDoor.WAF.ModeUse protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.Critical
Azure.FrontDoor.WAF.NameFront Door WAF policy names should meet naming requirements.Awareness
Azure.FrontDoorWAF.EnabledFront Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.Critical
Azure.FrontDoorWAF.ExclusionsUse recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions.Critical
Azure.FrontDoorWAF.PreventionModeUse protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.Critical
Azure.FrontDoorWAF.RuleGroupsUse recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources.Critical
Azure.Grafana.AvailabilityZoneUse zone redundant Grafana workspaces in supported regions to improve reliability.Important
Azure.Grafana.VersionGrafana workspaces should be on Grafana version 10.Important
Azure.Group.NameAzure Resource Manager (ARM) has requirements for Resource Groups names.Awareness
Azure.Group.NamingResource Groups without a standard naming convention may be difficult to identify and manage.Awareness
Azure.Group.RequiredTagsResource groups without a standard tagging convention may be difficult to identify and manage.Awareness
Azure.Identity.UserAssignedNameManaged Identity names should meet naming requirements.Awareness
Azure.ImageBuilder.CustomizeHashExternal scripts that are not pinned may be modified to execute privileged actions by an unauthorized user.Important
Azure.ImageBuilder.ValidateHashExternal scripts that are not pinned may be modified to execute privileged actions by an unauthorized user.Important
Azure.IoTHub.MinTLSIoT Hubs should reject TLS versions older than 1.2.Critical
Azure.KeyVault.AccessPolicyUse the principal of least privilege when assigning access to Key Vault.Important
Azure.KeyVault.AutoRotationPolicyKeys that become compromised may be used to spoof, decrypt, or gain access to sensitive data.Important
Azure.KeyVault.FirewallKey Vault should only accept explicitly allowed traffic.Important
Azure.KeyVault.KeyNameKey Vault Key names should meet naming requirements.Awareness
Azure.KeyVault.LogsEnsure audit diagnostics logs are enabled to audit Key Vault access.Important
Azure.KeyVault.NameKey Vault names should meet naming requirements.Awareness
Azure.KeyVault.PurgeProtectEnable Purge Protection on Key Vaults to prevent early purge of vaults and vault items.Important
Azure.KeyVault.RBACKey Vaults should use Azure RBAC as the authorization system for the data plane.Awareness
Azure.KeyVault.SecretNameKey Vault Secret names should meet naming requirements.Awareness
Azure.KeyVault.SoftDeleteEnable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.Important
Azure.LB.AvailabilityZoneLoad balancers deployed with Standard SKU should be zone-redundant for high availability.Important
Azure.LB.NameLoad Balancer names should meet naming requirements.Awareness
Azure.LB.NamingLoad balancer names should use a standard prefix.Awareness
Azure.LB.ProbeUse a specific probe for web protocols.Important
Azure.LB.StandardSKULoad balancers should be deployed with Standard SKU for production workloads.Important
Azure.Log.NameAzure Resource Manager (ARM) has requirements for Azure Monitor Log workspace names.Awareness
Azure.Log.NamingAzure Monitor Log workspaces without a standard naming convention may be difficult to identify and manage.Awareness
Azure.Log.ReplicaLocationThe replication location determines the country or region where the data is stored and processed.Important
Azure.Log.ReplicationLog Analytics workspaces should have workspace replication enabled to improve service availability.Important
Azure.LogicApp.LimitHTTPTriggerLogic Apps using HTTP triggers without restrictions can be accessed from any network location including the Internet.Critical
Azure.MariaDB.AllowAzureAccessDetermine if access from Azure services is required.Important
Azure.MariaDB.DatabaseNameAzure Database for MariaDB databases should meet naming requirements.Awareness
Azure.MariaDB.DefenderCloudEnable Microsoft Defender for Cloud for Azure Database for MariaDB.Important
Azure.MariaDB.FirewallIPRangeDetermine if there is an excessive number of permitted IP addresses.Important
Azure.MariaDB.FirewallRuleCountDetermine if there is an excessive number of firewall rules.Awareness
Azure.MariaDB.FirewallRuleNameAzure Database for MariaDB firewall rules should meet naming requirements.Awareness
Azure.MariaDB.GeoRedundantBackupAzure Database for MariaDB should store backups in a geo-redundant storage.Important
Azure.MariaDB.MinTLSAzure Database for MariaDB servers should reject TLS versions older than 1.2.Critical
Azure.MariaDB.ServerNameAzure Database for MariaDB servers should meet naming requirements.Awareness
Azure.MariaDB.UseSSLAzure Database for MariaDB servers should only accept encrypted connections.Critical
Azure.MariaDB.VNETRuleNameAzure Database for MariaDB VNET rules should meet naming requirements.Awareness
Azure.MICassandra.AvailabilityZoneUse zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability.Important
Azure.ML.ComputeIdleShutdownConfigure an idle shutdown timeout for Machine Learning compute instances.Critical
Azure.ML.ComputeVnetAzure Machine Learning Computes should be hosted in a virtual network (VNet).Critical
Azure.ML.DisableLocalAuthAzure Machine Learning compute resources should have local authentication methods disabled.Critical
Azure.ML.PublicAccessDisable public network access from a Azure Machine Learning workspace.Critical
Azure.ML.UserManagedIdentityML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity.Important
Azure.Monitor.ServiceHealthConfigure Service Health alerts to notify administrators.Important
Azure.MySQL.AADUse Entra ID authentication with Azure Database for MySQL databases.Critical
Azure.MySQL.AADOnlyEnsure Entra ID only authentication is enabled with Azure Database for MySQL databases.Important
Azure.MySQL.AllowAzureAccessDetermine if access from Azure services is required.Important
Azure.MySQL.DefenderCloudEnable Microsoft Defender for Cloud for Azure Database for MySQL.Important
Azure.MySQL.FirewallIPRangeDetermine if there is an excessive number of permitted IP addresses.Important
Azure.MySQL.FirewallRuleCountDetermine if there is an excessive number of firewall rules.Awareness
Azure.MySQL.GeoRedundantBackupAzure Database for MySQL should store backups in a geo-redundant storage.Important
Azure.MySQL.MaintenanceWindowConfigure a customer-controlled maintenance window for Azure Database for MySQL servers.Important
Azure.MySQL.MinTLSMySQL DB servers should reject TLS versions older than 1.2.Critical
Azure.MySQL.ServerNameAzure MySQL DB server names should meet naming requirements.Awareness
Azure.MySQL.ServerNamingMySQL database server resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.MySQL.UseFlexibleUse Azure Database for MySQL Flexible Server deployment model.Important
Azure.MySQL.UseSSLEnforce encrypted MySQL connections.Critical
Azure.MySQL.ZoneRedundantHADeploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.Important
Azure.NIC.AttachedNetwork interfaces (NICs) that are not used should be removed.Awareness
Azure.NIC.NameNetwork Interface (NIC) names should meet naming requirements.Awareness
Azure.NIC.UniqueDnsNetwork interfaces (NICs) should inherit DNS from virtual networks.Awareness
Azure.NSG.AKSRulesAKS Network Security Group (NSG) should not have custom rules.Awareness
Azure.NSG.AnyInboundSourceNetwork security groups (NSGs) should avoid rules that allow "any" as an inbound source.Critical
Azure.NSG.AssociatedNetwork Security Groups (NSGs) should be associated to a subnet or network interface.Awareness
Azure.NSG.DenyAllInboundWhen all inbound traffic is denied, some functions that affect the reliability of your service may not work as expected.Important
Azure.NSG.LateralTraversalDeny outbound management connections from non-management hosts.Important
Azure.NSG.NameAzure Resource Manager (ARM) has requirements for Network Security Group (NSG) names.Awareness
Azure.NSG.NamingNetwork security group (NSG) without a standard naming convention may be difficult to identify and manage.Awareness
Azure.Policy.AssignmentAssignedByPolicy assignments should use assignedBy metadata.Awareness
Azure.Policy.AssignmentDescriptorsPolicy assignments should use a display name and description.Awareness
Azure.Policy.DescriptorsPolicy and initiative definitions should use a display name, description, and category.Awareness
Azure.Policy.ExemptionDescriptorsPolicy exemptions should use a display name and description.Awareness
Azure.Policy.WaiverExpiryConfigure policy waiver exemptions to expire.Awareness
Azure.PostgreSQL.AADUse Entra ID authentication with Azure Database for PostgreSQL databases.Critical
Azure.PostgreSQL.AADOnlyEnsure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.Important
Azure.PostgreSQL.AllowAzureAccessDetermine if access from Azure services is required.Important
Azure.PostgreSQL.DefenderCloudEnable Microsoft Defender for Cloud for Azure Database for PostgreSQL.Important
Azure.PostgreSQL.FirewallIPRangeDetermine if there is an excessive number of permitted IP addresses.Important
Azure.PostgreSQL.FirewallRuleCountDetermine if there is an excessive number of firewall rules.Awareness
Azure.PostgreSQL.GeoRedundantBackupAzure Database for PostgreSQL should store backups in a geo-redundant storage.Important
Azure.PostgreSQL.MaintenanceWindowConfigure a customer-controlled maintenance window for Azure Database for PostgreSQL servers.Important
Azure.PostgreSQL.MinTLSPostgreSQL DB servers should reject TLS versions older than 1.2.Critical
Azure.PostgreSQL.ServerNameAzure PostgreSQL DB server names should meet naming requirements.Awareness
Azure.PostgreSQL.ServerNamingPostgreSQL database server resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.PostgreSQL.UseSSLEnforce encrypted PostgreSQL connections.Critical
Azure.PostgreSQL.ZoneRedundantHADeploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.Important
Azure.PrivateEndpoint.NamePrivate Endpoint names should meet naming requirements.Awareness
Azure.PublicIP.AvailabilityZonePublic IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability.Important
Azure.PublicIP.DNSLabelPublic IP domain name labels should meet naming requirements.Awareness
Azure.PublicIP.IsAttachedPublic IP addresses should be attached or cleaned up if not in use.Important
Azure.PublicIP.MigrateStandardUse the Standard SKU for Public IP addresses as the Basic SKU will be retired.Important
Azure.PublicIP.NameAzure Resource Manager (ARM) has requirements for Public IP address names.Awareness
Azure.PublicIP.NamingPublic IP addresses without a standard naming convention may be difficult to identify and manage.Awareness
Azure.PublicIP.StandardSKUThe basic SKU is being retired on 30 September 2025, and does not include several reliability and security features.Important
Azure.RBAC.CoAdministratorDelegate access to manage Azure resources using role-based access control (RBAC).Important
Azure.RBAC.LimitMGDelegationLimit Role-Base Access Control (RBAC) inheritance from Management Groups.Important
Azure.RBAC.LimitOwnerLimit the number of subscription Owners.Important
Azure.RBAC.PIMUse just-in-time (JiT) activation of roles instead of persistent role assignment.Important
Azure.RBAC.UseGroupsUse groups for assigning permissions instead of individual user accounts.Important
Azure.RBAC.UseRGDelegationUse RBAC assignments on resource groups instead of individual resources.Important
Azure.Redis.AvailabilityZonePremium Redis cache should be deployed with availability zones for high availability.Important
Azure.Redis.EntraIDUse Entra ID authentication with cache instances.Critical
Azure.Redis.FirewallIPRangeDetermine if there is an excessive number of permitted IP addresses for the Redis cache.Critical
Azure.Redis.FirewallRuleCountDetermine if there is an excessive number of firewall rules for the Redis cache.Awareness
Azure.Redis.LocalAuthAccess keys allow depersonalized access to Azure Cache for Redis using a shared secret.Important
Azure.Redis.MaxMemoryReservedConfigure maxmemory-reserved to reserve memory for non-cache operations.Important
Azure.Redis.MigrateAMRAzure Cache for Redis is being retired. Migrate to Azure Managed Redis.Important
Azure.Redis.MinSKUUse Azure Cache for Redis instances of at least Standard C1.Important
Azure.Redis.MinTLSRedis Cache should reject TLS versions older than 1.2.Critical
Azure.Redis.NamingAzure Cache for Redis resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.Redis.NonSslPortAzure Cache for Redis should only accept secure connections.Critical
Azure.Redis.PublicNetworkAccessRedis cache should disable public network access.Critical
Azure.Redis.VersionAzure Cache for Redis should use the latest supported version of Redis.Important
Azure.RedisEnterprise.MigrateAMRAzure Cache for Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis.Important
Azure.RedisEnterprise.MinTLSRedis Cache should reject TLS versions older than 1.2.Critical
Azure.RedisEnterprise.NamingAzure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.RedisEnterprise.ZonesEnterprise Redis cache should be zone-redundant for high availability.Important
Azure.Resource.AllowedRegionsThe deployment location of a resource determines the country or region where metadata and data is stored and processed.Important
Azure.Resource.RequiredTagsResources without a standard tagging convention may be difficult to identify and manage.Awareness
Azure.Resource.UseTagsAzure resources should be tagged using a standard convention.Awareness
Azure.Route.NameAzure Resource Manager (ARM) has requirements for Route table names.Awareness
Azure.Route.NamingRoute tables without a standard naming convention may be difficult to identify and manage.Awareness
Azure.RSV.ImmutableEnsure immutability is configured to protect backup data.Important
Azure.RSV.NameRecovery Services vaults should meet naming requirements.Awareness
Azure.RSV.ReplicationAlertRecovery Services Vaults (RSV) without replication alerts configured may be at risk.Important
Azure.RSV.StorageTypeRecovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk.Important
Azure.Search.IndexSLAUse a minimum of 3 replicas to receive an SLA for query and index updates.Important
Azure.Search.ManagedIdentityConfigure managed identities to access Azure resources.Important
Azure.Search.NameAzure Resource Manager (ARM) has requirements for AI Search service names.Awareness
Azure.Search.NamingAzure AI Search services without a standard naming convention may be difficult to identify and manage.Awareness
Azure.Search.QuerySLAUse a minimum of 2 replicas to receive an SLA for index queries.Important
Azure.Search.SKUUse the basic and standard tiers for entry level workloads.Critical
Azure.ServiceBus.AuditLogsEnsure namespaces audit diagnostic logs are enabled.Important
Azure.ServiceBus.DisableLocalAuthAuthenticate Service Bus publishers and consumers with Entra ID identities.Important
Azure.ServiceBus.GeoReplicaEnhance resilience to regional outages by replicating namespaces.Important
Azure.ServiceBus.MinTLSService Bus namespaces should reject TLS versions older than 1.2.Important
Azure.ServiceBus.ReplicaLocationThe replica location determines the country or region where the data is stored and processed.Important
Azure.ServiceBus.UsageRegularly remove unused resources to reduce costs.Important
Azure.ServiceFabric.AADUse Entra ID client authentication for Service Fabric clusters.Critical
Azure.ServiceFabric.ManagedNamingService Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.ServiceFabric.NamingService Fabric cluster resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.ServiceFabric.ProtectionLevelNode to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks.Important
Azure.SignalR.ManagedIdentityConfigure SignalR Services to use managed identities to access Azure resources securely.Important
Azure.SignalR.NameSignalR service instance names should meet naming requirements.Awareness
Azure.SignalR.SLAUse SKUs that include an SLA when configuring SignalR Services.Important
Azure.SQL.AADUse Entra ID authentication with Azure SQL databases.Critical
Azure.SQL.AADOnlyEnsure Entra ID only authentication is enabled with Azure SQL Database.Important
Azure.SQL.AllowAzureAccessDetermine if access from Azure services is required.Important
Azure.SQL.AuditingEnable auditing for Azure SQL logical server.Important
Azure.SQL.DBNameAzure SQL Database names should meet naming requirements.Awareness
Azure.SQL.DBNamingAzure SQL database resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.SQL.DefenderCloudEnable Microsoft Defender for Azure SQL logical server.Important
Azure.SQL.ElasticPoolNamingAzure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.SQL.FGNameAzure SQL failover group names should meet naming requirements.Awareness
Azure.SQL.FirewallIPRangeEach IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.Important
Azure.SQL.FirewallRuleCountDetermine if there is an excessive number of firewall rules.Awareness
Azure.SQL.JobAgentNamingAzure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.SQL.MaintenanceWindowConfigure a customer-controlled maintenance window for Azure SQL databases.Important
Azure.SQL.MinTLSAzure SQL Database servers should reject TLS versions older than 1.2.Critical
Azure.SQL.ServerNameAzure SQL logical server names should meet naming requirements.Awareness
Azure.SQL.ServerNamingAzure SQL Database server resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.SQL.TDEUse Transparent Data Encryption (TDE) with Azure SQL Database.Critical
Azure.SQL.VAScanSQL Databases may have configuration vulnerabilities discovered after they are deployed.Important
Azure.SQLMI.AADUse Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.Critical
Azure.SQLMI.AADOnlyEnsure Azure AD-only authentication is enabled with Azure SQL Managed Instance.Important
Azure.SQLMI.MaintenanceWindowConfigure a customer-controlled maintenance window for Azure SQL Managed Instances.Important
Azure.SQLMI.ManagedIdentityEnsure managed identity is used to allow support for Azure AD authentication.Important
Azure.SQLMI.NameSQL Managed Instance names should meet naming requirements.Awareness
Azure.SQLMI.NamingSQL Managed Instance resources without a standard naming convention may be difficult to identify and manage.Awareness
Azure.Storage.BlobAccessTypeUse containers configured with a private access type that requires authorization.Important
Azure.Storage.BlobPublicAccessStorage Accounts should only accept authorized requests.Important
Azure.Storage.ContainerSoftDeleteEnable container soft delete on Storage Accounts.Important
Azure.Storage.Defender.DataScanEnable sensitive data threat detection in Microsoft Defender for Storage.Critical
Azure.Storage.Defender.MalwareScanEnable Malware Scanning in Microsoft Defender for Storage.Critical
Azure.Storage.DefenderCloudEnable Microsoft Defender for Storage for storage accounts.Critical
Azure.Storage.FileShareSoftDeleteEnable soft delete on Storage Accounts file shares.Important
Azure.Storage.FirewallStorage Accounts should only accept explicitly allowed traffic.Important
Azure.Storage.LocalAuthAccess keys allow depersonalized access to Storage Accounts using a shared secret.Important
Azure.Storage.MinTLSStorage Accounts should not accept weak or deprecated transport protocols for client-server communication.Critical
Azure.Storage.NameAzure Resource Manager (ARM) has requirements for Storage Account names.Awareness
Azure.Storage.NamingStorage Accounts without a standard naming convention may be difficult to identify and manage.Awareness
Azure.Storage.SecureTransferStorage accounts should only accept encrypted connections.Important
Azure.Storage.SoftDeleteEnable blob soft delete on Storage Accounts.Important
Azure.Storage.UseReplicationStorage Accounts using the LRS SKU are only replicated within a single zone.Important
Azure.Subscription.RequiredTagsSubscriptions without a standard tagging convention may be difficult to identify and manage.Awareness
Azure.Template.DebugDeploymentUse default deployment detail level for nested deployments.Awareness
Azure.Template.DefineParametersEach Azure Resource Manager (ARM) template file should contain a minimal number of parameters.Awareness
Azure.Template.ExpressionLengthTemplate expressions should not exceed the maximum length.Awareness
Azure.Template.LocationDefaultSet the default value for the location parameter within an ARM template to resource group location.Awareness
Azure.Template.LocationTypeLocation parameters should use a string value.Important
Azure.Template.MetadataLinkConfigure a metadata link for each parameter file.Important
Azure.Template.ParameterDataTypesSet the parameter default value to a value of the same type.Important
Azure.Template.ParameterFileUse ARM template parameter files that are valid.Important
Azure.Template.ParameterMetadataSet metadata descriptions in Azure Resource Manager (ARM) template for each parameter.Awareness
Azure.Template.ParameterMinMaxValueTemplate parameters minValue and maxValue constraints must be valid.Important
Azure.Template.ParameterSchemeUse an Azure template parameter file schema with the https scheme.Awareness
Azure.Template.ParameterStrongTypeSet the parameter value to a value that matches the specified strong type.Awareness
Azure.Template.ParameterValueSpecify a value for each parameter in template parameter files.Awareness
Azure.Template.ResourceLocationResource locations should be an expression or global.Awareness
Azure.Template.ResourcesEach Azure Resource Manager (ARM) template file should deploy at least one resource.Awareness
Azure.Template.TemplateFileUse ARM template files that are valid.Important
Azure.Template.TemplateSchemaUse a more recent version of the Azure template schema.Awareness
Azure.Template.TemplateSchemeUse an Azure template file schema with the https scheme.Awareness
Azure.Template.UseCommentsUse comments for each resource in ARM template to communicate purpose.Awareness
Azure.Template.UseDescriptionsUse descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose.Awareness
Azure.Template.UseLocationParameterTemplate should reference a location parameter to specify resource location.Awareness
Azure.Template.UseParametersEach Azure Resource Manager (ARM) template parameter should be used or removed from template files.Awareness
Azure.Template.UseVariablesEach Azure Resource Manager (ARM) template variable should be used or removed from template files.Awareness
Azure.Template.ValidSecretRefUse a valid secret reference within parameter files.Awareness
Azure.TrafficManager.EndpointsTraffic Manager should use at lest two enabled endpoints.Important
Azure.TrafficManager.ProtocolMonitor Traffic Manager web-based endpoints with HTTPS.Important
Azure.VM.AcceleratedNetworkingUse accelerated networking for supported operating systems and VM types.Important
Azure.VM.ADEUse Azure Disk Encryption (ADE).Important
Azure.VM.AgentVirtual Machines (VMs) without an agent provisioned are unable to use monitoring, management, and security extensions.Important
Azure.VM.AMAUse Azure Monitor Agent for collecting monitoring data from VMs.Important
Azure.VM.ASAlignmentUse availability sets aligned with managed disks fault domains.Important
Azure.VM.ASDistributeTrafficEnsure high availability by distributing traffic among members in an availability set.Important
Azure.VM.ASMinMembersAvailability sets should be deployed with at least two virtual machines (VMs).Important
Azure.VM.ASNameAvailability Set names should meet naming requirements.Awareness
Azure.VM.BasicSkuVirtual machines (VMs) should not use Basic sizes.Important
Azure.VM.ComputerNameVirtual Machine (VM) computer name should meet naming requirements.Awareness
Azure.VM.DiskAttachedManaged disks should be attached to virtual machines or removed.Important
Azure.VM.DiskCachingCheck disk caching is configured correctly for the workload.Important
Azure.VM.DiskNameManaged Disk names should meet naming requirements.Awareness
Azure.VM.DiskSizeAlignmentAlign to the Managed Disk billing increments to improve cost efficiency.Awareness
Azure.VM.MaintenanceConfigUse a maintenance configuration for virtual machines.Important
Azure.VM.MigrateAMAUse Azure Monitor Agent as replacement for Log Analytics Agent.Important
Azure.VM.MultiTenantHostingDeploy Windows 10 and 11 virtual machines in Azure using Multi-tenant Hosting Rights to leverage your existing Windows licenses.Awareness
Azure.VM.NameVirtual Machine (VM) names should meet naming requirements.Awareness
Azure.VM.NamingVirtual machines without a standard naming convention may be difficult to identify and manage.Awareness
Azure.VM.PPGNameProximity Placement Group (PPG) names should meet naming requirements.Awareness
Azure.VM.PromoSkuVirtual machines (VMs) should not use expired promotional SKU.Awareness
Azure.VM.PublicIPAttachedAvoid attaching public IPs directly to virtual machines.Critical
Azure.VM.PublicKeyLinux virtual machines should use public keys.Important
Azure.VM.ScriptExtensionsCustom Script Extensions scripts that reference secret values must use the protectedSettings.Important
Azure.VM.ShouldNotBeStoppedAzure Virtual Machines in a stopped state are still allocated and billed for compute usage.Important
Azure.VM.SQLServerDiskUse Premium SSD disks or greater for data and log files for production SQL Server workloads.Important
Azure.VM.StandaloneSingle instance VMs are a single point of failure, however reliability can be improved by using premium storage.Important
Azure.VM.UpdatesEnsure automatic updates are enabled at deployment.Important
Azure.VM.UseHybridUseBenefitUse Azure Hybrid Benefit for applicable virtual machine (VM) workloads.Awareness
Azure.VM.UseManagedDisksVirtual machines (VMs) should use managed disks.Important
Azure.VMSS.AMAUse Azure Monitor Agent for collecting monitoring data from VM scale sets.Important
Azure.VMSS.AutoInstanceRepairsApplications or infrastructure relying on a virtual machine scale sets may fail if VM instances are unhealthy.Important
Azure.VMSS.AvailabilityZoneDeploy virtual machine scale set instances using availability zones in supported regions to ensure high availability and resilience.Important
Azure.VMSS.ComputerNameVirtual Machine Scale Set (VMSS) computer name should meet naming requirements.Awareness
Azure.VMSS.MigrateAMAUse Azure Monitor Agent as replacement for Log Analytics Agent.Important
Azure.VMSS.NameVirtual Machine Scale Set (VMSS) names should meet naming requirements.Awareness
Azure.VMSS.PublicIPAttachedAvoid attaching public IPs directly to virtual machine scale set instances.Critical
Azure.VMSS.PublicKeyUse SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities.Important
Azure.VMSS.ScriptExtensionsCustom Script Extensions scripts that reference secret values must use the protectedSettings.Important
Azure.VMSS.ZoneBalanceDeploy virtual machine scale set instances using the best-effort zone balance in supported regions.Important
Azure.VNET.BastionSubnetVNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs.Important
Azure.VNET.FirewallSubnetUse Azure Firewall to filter network traffic to and from Azure resources.Important
Azure.VNET.FirewallSubnetNATZonal-deployed Azure Firewalls should consider using an Azure NAT Gateway for outbound access.Awareness
Azure.VNET.LocalDNSVirtual networks (VNETs) should use DNS servers deployed within the same Azure region.Important
Azure.VNET.NameAzure Resource Manager (ARM) has requirements for Virtual Network names.Awareness
Azure.VNET.NamingVirtual Networks without a standard naming convention may be difficult to identify and manage.Awareness
Azure.VNET.PeerStateVNET peering connections must be connected.Important
Azure.VNET.PrivateSubnetSubnets that allow direct outbound access to the Internet may expose virtual machines to increased security risks.Critical
Azure.VNET.SingleDNSVirtual networks (VNETs) should have at least two DNS servers assigned.Important
Azure.VNET.SubnetNameAzure Resource Manager (ARM) has requirements for Virtual Network Subnet names.Awareness
Azure.VNET.SubnetNamingVirtual Network subnets without a standard naming convention may be difficult to identify and manage.Awareness
Azure.VNET.UseNSGsVirtual network (VNET) subnets should have Network Security Groups (NSGs) assigned.Critical
Azure.VNG.ConnectionNameVirtual Network Gateway (VNG) connection names should meet naming requirements.Awareness
Azure.VNG.ConnectionNamingVirtual network gateway connections without a standard naming convention may be difficult to identify and manage.Awareness
Azure.VNG.ERAvailabilityZoneSKUUse availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type.Important
Azure.VNG.ERLegacySKUMigrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways.Critical
Azure.VNG.MaintenanceConfigUse a customer-controlled maintenance configuration for virtual network gateways.Important
Azure.VNG.NameVirtual Network Gateway (VNG) names should meet naming requirements.Awareness
Azure.VNG.NamingVirtual network gateway without a standard naming convention may be difficult to identify and manage.Awareness
Azure.VNG.VPNActiveActiveUse VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime.Important
Azure.VNG.VPNAvailabilityZoneSKUUse availability zone SKU for virtual network gateways deployed with VPN gateway type.Important
Azure.VNG.VPNLegacySKUMigrate from legacy SKUs to improve reliability and performance of VPN gateways.Critical
Azure.vWAN.NameVirtual WAN (vWAN) names should meet naming requirements.Awareness
Azure.WebPubSub.ManagedIdentityConfigure Web PubSub Services to use managed identities to access Azure resources securely.Important
Azure.WebPubSub.SLAUse SKUs that include an SLA when configuring Web PubSub Services.Important