| 💼 1 Identity and Access Management | 25 | | | |
| 💼 1.1 Security Defaults | 4 | | | |
| 💼 1.1.1 Ensure Security Defaults is enabled on Azure Active Directory - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.1.2 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users - Level 2 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| � 💼 1.1.4 Ensure that 'Restore multi-factor authentication on all remembered devices' is Enabled - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.2 Conditional Access | 6 | | | |
| 💼 1.2.1 Ensure Trusted Locations Are Defined - Level 1 (Manual) | | | | |
| 💼 1.2.2 Ensure that an exclusionary Geographic Access Policy is considered - Level 1 (Manual) | | | | |
| 💼 1.2.3 Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups - Level 1 (Manual) | | | | |
| 💼 1.2.4 Ensure that A Multi-factor Authentication Policy Exists for All Users - Level 1 (Manual) | | | | |
| 💼 1.2.5 Ensure Multi-factor Authentication is Required for Risky Sign-ins - Level 1 (Manual) | | | | |
| 💼 1.2.6 Ensure Multi-factor Authentication is Required for Azure Management - Level 1 (Manual) | | | | |
| 💼 1.3 Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management - Level 2 (Manual) | | | | |
| 💼 1.4 Ensure Guest Users Are Reviewed on a Regular Basis - Level 1 (Manual _ Assessment requires a manual procedure. Hover over the title for the full description) | | | | |
| 💼 1.5 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.6 Ensure That 'Number of methods required to reset' is set to '2' - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.7 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.8 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.9 Ensure that 'Notify users on password resets?' is set to 'Yes' - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.11 Ensure That ‘Users Can Consent to Apps Accessing Company Data on Their Behalf’ Is Set To ‘Allow for Verified Publishers’ - Level 2 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.12 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No' - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.14 Ensure That ‘Users Can Register Applications’ Is Set to ‘No’ - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' - Level 1 (Manual) | | | | |
| 💼 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" - Level 2 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' - Level 2 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' - Level 2 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' - Level 2 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' - Level 2 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 1.23 Ensure That No Custom Subscription Owner Roles Are Created - Level 1 (Automated) | | | | |
| 💼 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks - Level 2 (Manual) | | | | |
| 💼 1.25 Ensure That ‘Subscription Entering AAD Directory’ and ‘Subscription Leaving AAD Directory’ Is Set To ‘Permit No One’ - Level 2 (Manual) | | | | |
| 💼 2 Microsoft Defender for Cloud | 6 | | | |
| 💼 2.1 Defender Plans | 13 | | | |
| 💼 2.1.1 Ensure That Microsoft Defender for Servers Is Set to 'On' - Level 2 (Manual) | | 1 | 1 | |
| 💼 2.1.2 Ensure That Microsoft Defender for App Services Is Set To 'On' - Level 2 (Manual) | | 1 | 1 | |
| 💼 2.1.3 Ensure That Microsoft Defender for Databases Is Set To 'On' - Level 2 (Manual) | | | | |
| 💼 2.1.4 Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' - Level 2 (Manual) | | 1 | 1 | |
| 💼 2.1.5 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' - Level 2 (Manual) | | 1 | 1 | |
| 💼 2.1.6 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' - Level 2 (Manual) | | | | |
| 💼 2.1.7 Ensure That Microsoft Defender for Storage Is Set To 'On' - Level 2 (Manual) | | 1 | 1 | |
| 💼 2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On' - Level 2 (Manual) | | | | |
| 💼 2.1.9 Ensure That Microsoft Defender for Cosmos DB Is Set To 'On' - Level 2 (Manual) | | | | |
| 💼 2.1.10 Ensure That Microsoft Defender for Key Vault Is Set To 'On' - Level 2 (Manual) | | 1 | 1 | |
| 💼 2.1.11 Ensure That Microsoft Defender for DNS Is Set To 'On' - Level 2 (Manual) | | 1 | 1 | |
| 💼 2.1.12 Ensure That Microsoft Defender for IoT Is Set To 'On' - Level 2 (Manual) | | | | |
| 💼 2.1.13 Ensure That Microsoft Defender for Resource Manager Is Set To 'On' - Level 2 (Manual) | | | | |
| 💼 2.2 Auto provisioning | 3 | | | |
| 💼 2.2.1 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' - Level 1 (Automated) | | | | |
| 💼 2.2.2 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' - Level 2 (Automated) | | | | |
| 💼 2.2.3 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' - Level 2 (Automated) | | | | |
| 💼 2.3 Email notifications | 3 | | | |
| 💼 2.3.1 Ensure That 'All users with the following roles' is set to 'Owner' - Level 1 (Automated) | | 1 | 1 | |
| 💼 2.3.2 Ensure 'Additional email addresses' is Configured with a Security Contact Email - Level 1 (Automated) | | 1 | 1 | |
| 💼 2.3.3 Ensure That 'Notify about alerts with the following severity' is Set to 'High' - Level 1 (Automated) | | | | |
| 💼 2.4 Integrations | 2 | | | |
| 💼 2.4.1 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected - Level 2 (Manual) | | | | |
| 💼 2.4.2 Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected - Level 2 (Manual) | | | | |
| 💼 2.5 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' - Level 1 (Manual) | | | | |
| 💼 2.6 Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' - Level 1 (Manual) | | | | |
| 💼 3 Storage Accounts | 15 | | | |
| 💼 3.1 Ensure that 'Secure transfer required' is set to 'Enabled' - Level 1 (Automated) | | 1 | 1 | |
| 💼 3.2 Ensure that ‘Enable Infrastructure Encryption’ for Each Storage Account in Azure Storage is Set to ‘enabled’ - Level 2 (Manual) | | 1 | 1 | |
| 💼 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account - Level 1 (Manual) | | | | |
| 💼 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests - Level 2 (Automated) | | 1 | 1 | |
| 💼 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour - Level 1 (Manual _ Not supported, no API/CLI available by Azure) | | | | |
| 💼 3.7 Ensure that 'Public access level' is disabled for storage accounts with blob containers - Level 1 (Automated) | | | | |
| 💼 3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny - Level 1 (Automated) | | | | |
| 💼 3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access - Level 2 (Automated) | | 1 | 1 | |
| 💼 3.10 Ensure Private Endpoints are used to access Storage Accounts - Level 1 (Manual) | | | | |
| 💼 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage - Level 1 (Automated) | | 1 | 1 | |
| 💼 3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys - Level 2 (Manual) | | | | |
| 💼 3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests - Level 2 (Automated) | | 1 | 1 | |
| 💼 3.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests - Level 2 (Automated) | | | | |
| 💼 3.15 Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" - Level 1 (Automated) | | 1 | 1 | |
| 💼 4 Database Services | 5 | | | |
| 💼 4.1 SQL Server - Auditing | 6 | | | |
| 💼 4.1.1 Ensure that 'Auditing' is set to 'On' - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key - Level 2 (Automated) | | 1 | 1 | |
| 💼 4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database - Level 1 (Automated) | | | | |
| 💼 4.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days' - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.2 SQL Server - Microsoft Defender for SQL | 5 | | | |
| 💼 4.2.1 Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers - Level 2 (Automated) | | | | |
| � 💼 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account - Level 2 (Automated) | | | | |
| 💼 4.2.3 Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server - Level 2 (Automated) | | | | |
| 💼 4.2.4 Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server - Level 2 (Automated) | | | | |
| 💼 4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server - Level 1 (Automated) | | | | |
| 💼 4.3 PostgreSQL Database Server | 8 | | | |
| 💼 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.3.6 Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled - Level 1 (Manual) | | 1 | 1 | |
| 💼 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.4 MySQL Database | 4 | | | |
| 💼 4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server - Level 1 (Automated) | | 1 | 1 | |
| 💼 4.4.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server - Level 2 (Manual) | | | | |
| 💼 4.4.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server - Level 2 (Manual) | | | | |
| 💼 4.5 Cosmos DB | 2 | | | |
| 💼 4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks - Level 2 (Manual) | | | | |
| 💼 4.5.2 Ensure That Private Endpoints Are Used Where Possible - Level 2 (Manual) | | | | |
| 💼 5 Logging and Monitoring | 3 | | | |
| 💼 5.1 Configuring Diagnostic Settings | 7 | | | |
| 💼 5.1.1 Ensure that a 'Diagnostic Setting' exists - Level 1 (Manual) | | | | |
| 💼 5.1.2 Ensure Diagnostic Setting captures appropriate categories - Level 1 (Automated) | | 1 | 1 | |
| 💼 5.1.3 Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible - Level 1 (Automated) | | | | |
| 💼 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key - Level 2 (Automated) | | 1 | 1 | |
| 💼 5.1.5 Ensure that logging for Azure Key Vault is 'Enabled' - Level 1 (Automated) | | 1 | 1 | |
| 💼 5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics - Level 2 (Manual) | | | | |
| 💼 5.1.7 Ensure that logging for Azure AppService 'AppServiceHTTPLogs' is enabled. - Level 2 (Manual) | | | | |
| 💼 5.2 Monitoring using Activity Log Alerts | 10 | | | |
| 💼 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment - Level 1 (Automated) | | 1 | 1 | |
| 💼 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment - Level 1 (Automated) | | 1 | 1 | |
| 💼 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group - Level 1 (Automated) | | 1 | 1 | |
| 💼 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group - Level 1 (Automated) | | 1 | 1 | |
| 💼 5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution - Level 1 (Automated) | | | | |
| 💼 5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution - Level 1 (Automated) | | 1 | 1 | |
| 💼 5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule - Level 1 (Automated) | | 1 | 1 | |
| 💼 5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule - Level 1 (Automated) | | 1 | 1 | |
| 💼 5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule - Level 1 (Automated) | | | | |
| 💼 5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule - Level 1 (Automated) | | | | |
| 💼 5.3 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it - Level 1 (Manual) | | | | |
| 💼 6 Networking | 7 | | | |
| 💼 6.1 Ensure that RDP access from the Internet is evaluated and restricted - Level 1 (Automated) | | 1 | 1 | |
| 💼 6.2 Ensure that SSH access from the Internet is evaluated and restricted - Level 1 (Automated) | | 1 | 1 | |
| 💼 6.3 Ensure that UDP access from the Internet is evaluated and restricted - Level 1 (Automated) | | 1 | 1 | |
| 💼 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted - Level 1 (Automated) | | 1 | 1 | |
| 💼 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Level 2 (Automated) | | 1 | 1 | |
| 💼 6.6 Ensure that Network Watcher is 'Enabled' - Level 2 (Manual) | | | | |
| 💼 6.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis - Level 1 (Manual) | | | | |
| 💼 7 Virtual Machines | 6 | | | |
| 💼 7.1 Ensure Virtual Machines are utilizing Managed Disks - Level 1 (Manual) | | 1 | 1 | |
| 💼 7.2 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) - Level 2 (Automated) | | 1 | 1 | |
| 💼 7.3 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) - Level 2 (Automated) | | 1 | 1 | |
| 💼 7.4 Ensure that Only Approved Extensions Are Installed - Level 1 (Manual) | | | | |
| 💼 7.5 Ensure that Endpoint Protection for all Virtual Machines is installed - Level 2 (Manual) | | | | |
| 💼 7.6 [Legacy] Ensure that VHDs are Encrypted - Level 2 (Manual) | | | | |
| 💼 8 Key Vault | 8 | | | |
| 💼 8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults - Level 1 (Automated) | | | | |
| 💼 8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. - Level 1 (Automated) | | | | |
| 💼 8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults - Level 1 (Automated) | | | | |
| 💼 8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults - Level 1 (Automated) | | | | |
| 💼 8.5 Ensure the Key Vault is Recoverable - Level 1 (Automated) | | | | |
| 💼 8.6 Enable Role Based Access Control for Azure Key Vault - Level 2 (Manual) | | | | |
| 💼 8.7 Ensure that Private Endpoints are Used for Azure Key Vault - Level 2 (Manual) | | 1 | 1 | |
| 💼 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services - Level 2 (Manual) | | | | |
| 💼 9 AppService | 11 | | | |
| 💼 9.1 Ensure App Service Authentication is set up for apps in Azure App Service - Level 2 (Automated) | | 1 | 1 | |
| 💼 9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service - Level 1 (Automated) | | 1 | 1 | |
| 💼 9.3 Ensure Web App is using the latest version of TLS encryption - Level 1 (Automated) | | | | |
| 💼 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' - Level 2 (Automated) | | | | |
| 💼 9.5 Ensure that Register with Azure Active Directory is enabled on App Service - Level 1 (Automated) | | 1 | 1 | |
| 💼 9.6 Ensure That 'PHP version' is the Latest, If Used to Run the Web App - Level 1 (Manual) | | 1 | 1 | |
| 💼 9.7 Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App - Level 1 (Manual) | | 1 | 1 | |
| 💼 9.8 Ensure that 'Java version' is the latest, if used to run the Web App - Level 1 (Manual) | | 1 | 1 | |
| 💼 9.9 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App - Level 1 (Automated) | | | | |
| 💼 9.10 Ensure FTP deployments are Disabled - Level 1 (Automated) | | 1 | 1 | |
| 💼 9.11 Ensure Azure Key Vaults are Used to Store Secrets - Level 2 (Manual) | | | | |
| 💼 10 Miscellaneous | 1 | | | |
| 💼 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources - Level 2 (Manual) | | | | |