๐๏ธ 1.1.1
1.1.1 Ensure Security Defaults is enabled on Azure Active Directory (Manual)
๐๏ธ 1.1.2
1.1.2 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users (Manual)
๐๏ธ 1.1.3
1.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users (Manual)
๐๏ธ 1.1.4
1.1.4 Ensure that 'Restore multi-factor authentication on all remembered devices' is Enabled (Manual)
๐๏ธ 1.2.1
1.2.1 Ensure Trusted Locations Are Defined (Manual)
๐๏ธ 1.2.2
1.2.2 Ensure that an exclusionary Geographic Access Policy is considered (Manual)
๐๏ธ 1.2.3
1.2.3 Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups (Manual)
๐๏ธ 1.2.4
1.2.4 Ensure that A Multi-factor Authentication Policy Exists for All Users (Manual)
๐๏ธ 1.2.5
1.2.5 Ensure Multi-factor Authentication is Required for Risky Sign-ins (Manual)
๐๏ธ 1.2.6
1.2.6 Ensure Multi-factor Authentication is Required for Azure Management (Manual)
๐๏ธ 1.3
1.3 Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management (Manual)
๐๏ธ 1.4
1.4 Ensure Guest Users Are Reviewed on a Regular Basis (Manual)
๐๏ธ 1.5
1.5 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Manual)
๐๏ธ 1.6
1.6 Ensure That 'Number of methods required to reset' is set to '2' (Manual)
๐๏ธ 1.7
1.7 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization (Manual)
๐๏ธ 1.8
1.8 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' (Manual)
๐๏ธ 1.9
1.9 Ensure that 'Notify users on password resets?' is set to 'Yes' (Manual)
๐๏ธ 1.10
1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' (Manual)
๐๏ธ 1.11
1.11 Ensure That โUsers Can Consent to Apps Accessing Company Data on Their Behalfโ Is Set To โAllow for Verified Publishersโ (Manual)
๐๏ธ 1.12
1.12 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Manual)
๐๏ธ 1.13
1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No' (Manual)
๐๏ธ 1.14
1.14 Ensure That โUsers Can Register Applicationsโ Is Set to โNoโ (Manual)
๐๏ธ 1.15
1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' (Manual)
๐๏ธ 1.16
1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" (Manual)
๐๏ธ 1.17
1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' (Manual)
๐๏ธ 1.18
1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' (Manual)
๐๏ธ 1.19
1.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' (Manual)
๐๏ธ 1.20
1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' (Manual)
๐๏ธ 1.21
1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' (Manual)
๐๏ธ 1.22
1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' (Manual)
๐๏ธ 1.23
1.23 Ensure That No Custom Subscription Owner Roles Are Created (Automated)
๐๏ธ 1.24
1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks (Manual)
๐๏ธ 1.25
1.25 Ensure That โSubscription Entering AAD Directoryโ and โSubscription Leaving AAD Directoryโ Is Set To โPermit No Oneโ (Manual)
๐๏ธ 2.1.1
2.1.1 Ensure That Microsoft Defender for Servers Is Set to 'On' (Manual)
๐๏ธ 2.1.2
2.1.2 Ensure That Microsoft Defender for App Services Is Set To 'On' (Manual)
๐๏ธ 2.1.3
2.1.3 Ensure That Microsoft Defender for Databases Is Set To 'On' (Manual)
๐๏ธ 2.1.4
2.1.4 Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' (Manual)
๐๏ธ 2.1.5
2.1.5 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' (Manual)
๐๏ธ 2.1.6
2.1.6 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' (Manual)
๐๏ธ 2.1.7
2.1.7 Ensure That Microsoft Defender for Storage Is Set To 'On' (Manual)
๐๏ธ 2.1.8
2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On' (Manual)
๐๏ธ 2.1.9
2.1.9 Ensure That Microsoft Defender for Cosmos DB Is Set To 'On' (Manual)
๐๏ธ 2.1.10
2.1.10 Ensure That Microsoft Defender for Key Vault Is Set To 'On' (Manual)
๐๏ธ 2.1.11
2.1.11 Ensure That Microsoft Defender for DNS Is Set To 'On' (Manual)
๐๏ธ 2.1.12
2.1.12 Ensure That Microsoft Defender for IoT Is Set To 'On' (Manual)
๐๏ธ 2.1.13
2.1.13 Ensure That Microsoft Defender for Resource Manager Is Set To 'On' (Manual)
๐๏ธ 2.2.1
2.2.1 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' (Manual)
๐๏ธ 2.2.2
2.2.2 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' (Manual)
๐๏ธ 2.2.3
2.2.3 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' (Manual)
๐๏ธ 2.3.1
2.3.1 Ensure That 'All users with the following roles' is set to 'Owner' (Manual)
๐๏ธ 2.3.2
2.3.2 Ensure 'Additional email addresses' is Configured with a Security Contact Email (Manual)
๐๏ธ 2.3.3
2.3.3 Ensure That 'Notify about alerts with the following severity' is Set to 'High' (Manual)
๐๏ธ 2.4.1
2.4.1 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected (Manual)
๐๏ธ 2.4.2
2.4.2 Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected (Manual)
๐๏ธ 2.5
2.5 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' (Manual)
๐๏ธ 2.6
2.6 Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' (Manual)
๐๏ธ 3.1
3.1 Ensure that 'Secure transfer required' is set to 'Enabled' (Automated)
๐๏ธ 3.2
3.2 Ensure that โEnable Infrastructure Encryptionโ for Each Storage Account in Azure Storage is Set to โenabledโ (Automated)
๐๏ธ 3.3
3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account (Manual)
๐๏ธ 3.4
3.4 Ensure that Storage Account Access Keys are Periodically Regenerated (Manual)
๐๏ธ 3.5
3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests (Manual)
๐๏ธ 3.6
3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour (Manual)
๐๏ธ 3.7
3.7 Ensure that 'Public access level' is disabled for storage accounts with blob containers (Automated)
๐๏ธ 3.8
3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny (Automated)
๐๏ธ 3.9
3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access (Automated)
๐๏ธ 3.10
3.10 Ensure Private Endpoints are used to access Storage Accounts (Automated)
๐๏ธ 3.11
3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage (Manual)
๐๏ธ 3.12
3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (Manual)
๐๏ธ 3.13
3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests (Manual)
๐๏ธ 3.14
3.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests (Manual)
๐๏ธ 3.15
3.15 Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" (Automated)
๐๏ธ 4.1.1
4.1.1 Ensure that 'Auditing' is set to 'On' (Manual)
๐๏ธ 4.1.2
4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) (Automated)
๐๏ธ 4.1.3
4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key (Automated)
๐๏ธ 4.1.4
4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers (Automated)
๐๏ธ 4.1.5
4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database (Automated)
๐๏ธ 4.1.6
4.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days' (Manual)
๐๏ธ 4.2.1
4.2.1 Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers (Automated)
๐๏ธ 4.2.2
4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account (Automated)
๐๏ธ 4.2.3
4.2.3 Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server (Automated)
๐๏ธ 4.2.4
4.2.4 Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server (Automated)
๐๏ธ 4.2.5
4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server (Automated)
๐๏ธ 4.3.1
4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server (Automated)
๐๏ธ 4.3.2
4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server (Automated)
๐๏ธ 4.3.3
4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server (Automated)
๐๏ธ 4.3.4
4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server (Automated)
๐๏ธ 4.3.5
4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server (Automated)
๐๏ธ 4.3.6
4.3.6 Ensure Server Parameter 'logretentiondays' is greater than 3 days for PostgreSQL Database Server (Automated)
๐๏ธ 4.3.7
4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled (Automated)
๐๏ธ 4.3.8
4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' (Automated)
๐๏ธ 4.4.1
4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server (Automated)
๐๏ธ 4.4.2
4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server (Automated)
๐๏ธ 4.4.3
4.4.3 Ensure server parameter 'auditlogenabled' is set to 'ON' for MySQL Database Server (Manual)
๐๏ธ 4.4.4
4.4.4 Ensure server parameter 'auditlogevents' has 'CONNECTION' set for MySQL Database Server (Manual)
๐๏ธ 4.5.1
4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks (Automated)
๐๏ธ 4.5.2
4.5.2 Ensure That Private Endpoints Are Used Where Possible (Automated)
๐๏ธ 5.1.1
5.1.1 Ensure that a 'Diagnostic Setting' exists (Manual)
๐๏ธ 5.1.2
5.1.2 Ensure Diagnostic Setting captures appropriate categories (Automated)
๐๏ธ 5.1.3
5.1.3 Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible (Manual)
๐๏ธ 5.1.4
5.1.4 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (Manual)
๐๏ธ 5.1.5
5.1.5 Ensure that logging for Azure Key Vault is 'Enabled' (Automated)
๐๏ธ 5.1.6
5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics (Manual)
๐๏ธ 5.1.7
5.1.7 Ensure that logging for Azure AppService 'AppServiceHTTPLogs' is enabled. (Manual)
๐๏ธ 5.2.1
5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment (Automated)
๐๏ธ 5.2.2
5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment (Automated)
๐๏ธ 5.2.3
5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group (Automated)
๐๏ธ 5.2.4
5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group (Automated)
๐๏ธ 5.2.5
5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution (Automated)
๐๏ธ 5.2.6
5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution (Automated)
๐๏ธ 5.2.7
5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule (Automated)
๐๏ธ 5.2.8
5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule (Automated)
๐๏ธ 5.2.9
5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule (Automated)
๐๏ธ 5.2.10
5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule (Automated)
๐๏ธ 5.3
5.3 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it (Manual)
๐๏ธ 6.1
6.1 Ensure that RDP access from the Internet is evaluated and restricted (Automated)
๐๏ธ 6.2
6.2 Ensure that SSH access from the Internet is evaluated and restricted (Automated)
๐๏ธ 6.3
6.3 Ensure that UDP access from the Internet is evaluated and restricted (Automated)
๐๏ธ 6.4
6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted (Automated)
๐๏ธ 6.5
6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' (Automated)
๐๏ธ 6.6
6.6 Ensure that Network Watcher is 'Enabled' (Automated)
๐๏ธ 6.7
6.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis (Manual)
๐๏ธ 7.1
7.1 Ensure Virtual Machines are utilizing Managed Disks (Automated)
๐๏ธ 7.2
7.2 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) (Automated)
๐๏ธ 7.3
7.3 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) (Automated)
๐๏ธ 7.4
7.4 Ensure that Only Approved Extensions Are Installed (Manual)
๐๏ธ 7.5
7.5 Ensure that Endpoint Protection for all Virtual Machines is installed (Manual)
๐๏ธ 7.6
7.6 [Legacy] Ensure that VHDs are Encrypted (Manual)
๐๏ธ 8.1
8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults (Automated)
๐๏ธ 8.2
8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. (Automated)
๐๏ธ 8.3
8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults (Automated)
๐๏ธ 8.4
8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults (Automated)
๐๏ธ 8.5
8.5 Ensure the Key Vault is Recoverable (Automated)
๐๏ธ 8.6
8.6 Enable Role Based Access Control for Azure Key Vault (Automated)
๐๏ธ 8.7
8.7 Ensure that Private Endpoints are Used for Azure Key Vault (Automated)
๐๏ธ 8.8
8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services (Manual)
๐๏ธ 9.1
9.1 Ensure App Service Authentication is set up for apps in Azure App Service (Automated)
๐๏ธ 9.2
9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service (Automated)
๐๏ธ 9.3
9.3 Ensure Web App is using the latest version of TLS encryption (Automated)
๐๏ธ 9.4
9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' (Automated)
๐๏ธ 9.5
9.5 Ensure that Register with Azure Active Directory is enabled on App Service (Automated)
๐๏ธ 9.6
9.6 Ensure That 'PHP version' is the Latest, If Used to Run the Web App (Manual)
๐๏ธ 9.7
9.7 Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App (Manual)
๐๏ธ 9.8
9.8 Ensure that 'Java version' is the latest, if used to run the Web App (Manual)
๐๏ธ 9.9
9.9 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App (Automated)
๐๏ธ 9.10
9.10 Ensure FTP deployments are Disabled (Automated)
๐๏ธ 9.11
9.11 Ensure Azure Key Vaults are Used to Store Secrets (Manual)
๐๏ธ 10.1
10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources (Manual)