| 💼 1 Identity and Access Management | 23 | | | |
| 💼 1.1 Ensure that multi-factor authentication is enabled for all privileged users - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.2 Ensure that multi-factor authentication is enabled for all non-privileged users - Level 2 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.3 Ensure guest users are reviewed on a monthly basis - Level 1 (Manual _ Assessment requires a manual procedure. Hover over the title for the full description) | | | | |
| 💼 1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' - Level 2 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.5 Ensure that 'Number of methods required to reset' is set to '2' - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.6 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.7 Ensure that 'Notify users on password resets?' is set to 'Yes' - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' - Level 2 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.9 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' - Level 2 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' - Level 2 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.11 Ensure that 'Users can register applications' is set to 'No' - Level 2 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' - Level 2 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.13 Ensure that 'Members can invite' is set to 'No' - Level 2 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.14 Ensure that 'Guests can invite' is set to 'No' - Level 2 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.16 Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' - Level 2 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.17 Ensure that 'Users can create security groups in Azure Portals' is set to 'No' - Level 2 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.18 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' - Level 2 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.19 Ensure that 'Users can create Microsoft 365 groups in Azure Portals' is set to 'No' - Level 2 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.20 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.21 Ensure that no custom subscription owner roles are created - Level 2 (Automated) | | | | |
| 💼 1.22 Ensure Security Defaults is enabled on Azure Active Directory - Level 1 (Automated _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.23 Ensure Custom Role is assigned for Administering Resource Locks - Level 2 (Manual) | | | | |
| 💼 2 Security Center | 15 | | | |
| 💼 2.1 Ensure that Azure Defender is set to On for Servers - Level 2 (Manual) | | 1 | 1 | |
| 💼 2.2 Ensure that Azure Defender is set to On for App Service - Level 2 (Manual) | | 1 | 1 | |
| 💼 2.3 Ensure that Azure Defender is set to On for Azure SQL database servers - Level 2 (Manual) | | 1 | 1 | |
| 💼 2.4 Ensure that Azure Defender is set to On for SQL servers on machines - Level 2 (Manual) | | 1 | 1 | |
| 💼 2.5 Ensure that Azure Defender is set to On for Storage - Level 2 (Manual) | | 1 | 1 | |
| 💼 2.6 Ensure that Azure Defender is set to On for Kubernetes - Level 2 (Manual) | | | | |
| 💼 2.7 Ensure that Azure Defender is set to On for Container Registries - Level 2 (Manual) | | 1 | 1 | |
| 💼 2.8 Ensure that Azure Defender is set to On for Key Vault - Level 2 (Manual) | | 1 | 1 | |
| 💼 2.9 Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected - Level 2 (Manual) | | 1 | 1 | |
| 💼 2.10 Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected - Level 2 (Manual) | | 1 | 1 | |
| 💼 2.11 Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' - Level 1 (Automated) | | | | |
| 💼 2.12 Ensure any of the ASC Default policy setting is not set to "Disabled" - Level 1 (Manual _ Not supported, requires a manual assessment) | | | | |
| 💼 2.13 Ensure 'Additional email addresses' is configured with a security contact email - Level 1 (Automated) | | 1 | 1 | |
| 💼 2.14 Ensure that 'Notify about alerts with the following severity' is set to 'High' - Level 1 (Automated) | | | | |
| 💼 2.15 Ensure that 'All users with the following roles' is set to 'Owner' - Level 1 (Automated) | | 1 | 1 | |
| 💼 3 Storage Accounts | 11 | | | |
| 💼 3.1 Ensure that 'Secure transfer required' is set to 'Enabled' - Level 1 (Automated) | | 1 | 1 | |
| 💼 3.2 Ensure that storage account access keys are periodically regenerated - Level 1 (Manual) | | | | |
| 💼 3.3 Ensure Storage logging is enabled for Queue service for read, write, and delete requests - Level 2 (Manual) | | 1 | 1 | |
| 💼 3.4 Ensure that shared access signature tokens expire within an hour - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 3.5 Ensure that 'Public access level' is set to Private for blob containers - Level 1 (Automated) | | | | |
| 💼 3.6 Ensure default network access rule for Storage Accounts is set to deny - Level 2 (Automated) | | | | |
| 💼 3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access - Level 2 (Manual) | | 1 | 1 | |
| 💼 3.8 Ensure soft delete is enabled for Azure Storage - Level 1 (Automated) | | 1 | 1 | |
| 💼 3.9 Ensure storage for critical data are encrypted with Customer Managed Key - Level 2 (Automated) | | 1 | 1 | |
| 💼 3.10 Ensure Storage logging is enabled for Blob service for read, write, and delete requests - Level 2 (Manual) | | 1 | 1 | |
| 💼 3.11 Ensure Storage logging is enabled for Table service for read, write, and delete requests - Level 2 (Manual) | | | | |
| 💼 4 Database Services | 5 | | | |
| 💼 4.1 SQL Server - Auditing | 3 | | | |
| 💼 4.1.1 Ensure that 'Auditing' is set to 'On' - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database - Level 1 (Automated) | | | | |
| 💼 4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days' - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.2 SQL Server - Azure Defender for SQL | 5 | | | |
| 💼 4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled' - Level 2 (Automated) | | | | |
| 💼 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account - Level 2 (Automated) | | | | |
| 💼 4.2.3 Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server - Level 2 (Automated) | | | | |
| 💼 4.2.4 Ensure that VA setting Send scan reports to is configured for a SQL server - Level 2 (Automated) | | | | |
| 💼 4.2.5 Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server - Level 2 (Automated) | | | | |
| 💼 4.3 PostgreSQL Database Server | 8 | | | |
| 💼 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.3.2 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.3.3 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.3.4 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.3.5 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.3.6 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.3.7 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.3.8 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled - Level 1 (Manual) | | 1 | 1 | |
| 💼 4.4 Ensure that Azure Active Directory Admin is configured - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.5 Ensure SQL server's TDE protector is encrypted with Customer-managed key - Level 2 (Automated) | | 1 | 1 | |
| 💼 5 Logging and Monitoring | 3 | | | |
| 💼 5.1 Configuring Diagnostic Settings | 5 | | | |
| 💼 5.1.1 Ensure that a 'Diagnostics Setting' exists - Level 1 (Manual _ Not supported, requires a manual assessment) | | | | |
| 💼 5.1.2 Ensure Diagnostic Setting captures appropriate categories - Level 1 (Automated) | | 1 | 1 | |
| 💼 5.1.3 Ensure the storage container storing the activity logs is not publicly accessible - Level 1 (Automated _ Not supported, requires a manual assessment) | | | | |
| 💼 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) - Level 2 (Automated) | | 1 | 1 | |
| 💼 5.1.5 Ensure that logging for Azure KeyVault is 'Enabled' - Level 1 (Automated) | | 1 | 1 | |
| 💼 5.2 Monitoring using Activity Log Alerts | 9 | | | |
| 💼 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment - Level 1 (Automated) | | 1 | 1 | |
| 💼 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment - Level 1 (Automated) | | 1 | 1 | |
| 💼 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group - Level 1 (Automated) | | 1 | 1 | |
| 💼 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group - Level 1 (Automated) | | 1 | 1 | |
| 💼 5.2.5 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule - Level 1 (Automated) | | | | |
| 💼 5.2.6 Ensure that activity log alert exists for the Delete Network Security Group Rule - Level 1 (Automated) | | | | |
| 💼 5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution - Level 1 (Automated) | | | | |
| 💼 5.2.8 Ensure that Activity Log Alert exists for Delete Security Solution - Level 1 (Automated) | | 1 | 1 | |
| 💼 5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule - Level 1 (Automated) | | | | |
| 💼 5.3 Ensure that Diagnostic Logs are enabled for all services which support it. - Level 1 (Manual _ Not supported, requires a manual assessment) | | | | |
| 💼 6 Networking | 6 | | | |
| 💼 6.1 Ensure that RDP access is restricted from the internet - Level 1 (Automated) | | 1 | 1 | |
| 💼 6.2 Ensure that SSH access is restricted from the internet - Level 1 (Automated) | | 1 | 1 | |
| 💼 6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) - Level 1 (Automated). | | 1 | 1 | |
| 💼 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Level 2 (Automated _ Not supported, requires a manual assessment) | | 1 | 1 | |
| 💼 6.5 Ensure that Network Watcher is 'Enabled' - Level 1 (Manual) | | | | |
| 💼 6.6 Ensure that UDP Services are restricted from the Internet - Level 1 (Automated) | | 1 | 1 | |
| 💼 7 Virtual Machines | 7 | | | |
| 💼 7.1 Ensure Virtual Machines are utilizing Managed Disks - Level 1 (Manual) | | 1 | 1 | |
| 💼 7.2 Ensure that 'OS and Data' disks are encrypted with CMK - Level 2 (Automated) | | 1 | 1 | |
| 💼 7.3 Ensure that 'Unattached disks' are encrypted with CMK - Level 2 (Automated) | | 1 | 1 | |
| 💼 7.4 Ensure that only approved extensions are installed - Level 1 (Manual _ Not supported, requires a manual assessment) | | | | |
| 💼 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied - Level 1 (Manual) | | | | |
| 💼 7.6 Ensure that the endpoint protection for all Virtual Machines is installed - Level 1 (Manual) | | | | |
| 💼 7.7 Ensure that VHD's are encrypted - Level 2 (Manual _ Not supported, requires a manual assessment) | | | | |
| 💼 8 Other Security Considerations | 5 | | | |
| 💼 8.1 Ensure that the expiration date is set on all keys - Level 1 (Automated) | | 1 | 1 | |
| 💼 8.2 Ensure that the expiration date is set on all Secrets - Level 1 (Automated) | | 1 | 1 | |
| 💼 8.3 Ensure that Resource Locks are set for mission critical Azure resources - Level 2 (Manual _ Not supported, requires a manual assessment) | | | | |
| 💼 8.4 Ensure the key vault is recoverable - Level 1 (Automated) | | | | |
| 💼 8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services - Level 1 (Automated) | | | | |
| 💼 9 AppService | 11 | | | |
| 💼 9.1 Ensure App Service Authentication is set on Azure App Service - Level 2 (Automated) | | 1 | 1 | |
| 💼 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service - Level 1 (Automated) | | 1 | 1 | |
| 💼 9.3 Ensure web app is using the latest version of TLS encryption - Level 1 (Automated) | | | | |
| 💼 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' - Level 2 (Automated) | | | | |
| 💼 9.5 Ensure that Register with Azure Active Directory is enabled on App Service - Level 1 (Automated) | | 1 | 1 | |
| 💼 9.6 Ensure that 'PHP version' is the latest, if used to run the web app - Level 1 (Manual) | | 1 | 1 | |
| 💼 9.7 Ensure that 'Python version' is the latest, if used to run the web app - Level 1 (Manual) | | 1 | 1 | |
| 💼 9.8 Ensure that 'Java version' is the latest, if used to run the web app - Level 1 (Manual) | | 1 | 1 | |
| 💼 9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app - Level 1 (Manual) | | | | |
| 💼 9.10 Ensure FTP deployments are disabled - Level 1 (Automated) | | 1 | 1 | |
| 💼 9.11 Ensure Azure Keyvaults are used to store secrets - Level 2 (Manual _ Not supported, requires a manual assessment) | | | | |