| 💼 2 Identity | 26 | | | |
| 💼 2.1 Security Defaults (Per-User MFA) | 4 | | | |
| 💼 2.1.1 Ensure Security Defaults is enabled on Microsoft Entra ID (Manual) | | | 1 | |
| 💼 2.1.2 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users (Manual) | | | 1 | |
| 💼 2.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users (Manual) | | | 1 | |
| 💼 2.1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled (Manual) | | | 1 | |
| 💼 2.2 Conditional Access | 8 | | | |
| 💼 2.2.1 Ensure Trusted Locations Are Defined (Manual) | | | 1 | |
| 💼 2.2.2 Ensure that an exclusionary Geographic Access Policy is considered (Manual) | | | 1 | |
| 💼 2.2.3 Ensure that an exclusionary Device code flow policy is considered (Manual) | | | 1 | |
| 💼 2.2.4 Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups (Manual) | | | 1 | |
| 💼 2.2.5 Ensure that A Multi-factor Authentication Policy Exists for All Users (Manual) | | | 1 | |
| 💼 2.2.6 Ensure Multi-factor Authentication is Required for Risky Sign-ins (Manual) | | | 1 | |
| 💼 2.2.7 Ensure Multi-factor Authentication is Required for Windows Azure Service Management API (Manual) | | | 1 | |
| 💼 2.2.8 Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals (Manual) | | | 1 | |
| 💼 2.3 Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' (Automated) | | | 1 | |
| 💼 2.4 Ensure Guest Users Are Reviewed on a Regular Basis (Manual) | | | 1 | |
| 💼 2.5 Ensure That 'Number of methods required to reset' is set to '2' (Manual) | | | 1 | |
| 💼 2.6 Ensure that account 'Lockout Threshold' is less than or equal to '10' (Manual) | | | 1 | |
| 💼 2.7 Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' (Manual) | | | 1 | |
| 💼 2.8 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization (Manual) | | | 1 | |
| 💼 2.9 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' (Manual) | | | 1 | |
| 💼 2.10 Ensure that 'Notify users on password resets?' is set to 'Yes' (Manual) | | | 1 | |
| 💼 2.11 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' (Manual) | | | 1 | |
| 💼 2.12 Ensure 'User consent for applications' is set to 'Do not allow user consent' (Manual) | | | 1 | |
| 💼 2.13 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' (Manual) | | | 1 | |
| 💼 2.14 Ensure That 'Users Can Register Applications' Is Set to 'No' (Automated) | | | 1 | |
| 💼 2.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' (Automated) | | | 1 | |
| 💼 2.16 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' (Automated) | | | 1 | |
| 💼 2.17 Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes' (Manual) | | | 1 | |
| 💼 2.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' (Manual) | | | 1 | |
| 💼 2.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' (Manual) | | | 1 | |
| 💼 2.20 Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' (Manual) | | | 1 | |
| 💼 2.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' (Manual) | | | 1 | |
| 💼 2.22 Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' (Manual) | | | 1 | |
| 💼 2.23 Ensure That No Custom Subscription Administrator Roles Exist (Automated) | | | 1 | |
| 💼 2.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks (Manual) | | | 1 | |
| 💼 2.25 Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one' (Manual) | | | 1 | |
| 💼 2.26 Ensure fewer than 5 users have global administrator assignment (Manual) | | | 1 | |
| 💼 3 Security | 3 | | | |
| 💼 3.1 Microsoft Defender for Cloud | 16 | | | |
| 💼 3.1.1 Microsoft Cloud Security Posture Management (CSPM) | 2 | | | |
| 💼 3.1.1.1 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' (Automated) | | | 1 | |
| 💼 3.1.1.2 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected (Automated) | | | 1 | |
| 💼 3.1.2 Defender Plan: APIs | | | | |
| 💼 3.1.3 Defender Plan: Servers | 5 | | | |
| 💼 3.1.3.1 Ensure That Microsoft Defender for Servers Is Set to 'On' (Automated) | | | 1 | |
| 💼 3.1.3.2 Ensure that 'Vulnerability assessment for machines' component status is set to 'On' (Manual) | | | 1 | |
| 💼 3.1.3.3 Ensure that 'Endpoint protection' component status is set to 'On' (Manual) | | | 1 | |
| 💼 3.1.3.4 Ensure that 'Agentless scanning for machines' component status is set to 'On' (Manual) | | | 1 | |
| 💼 3.1.3.5 Ensure that 'File Integrity Monitoring' component status is set to 'On' (Manual) | | | 1 | |
| 💼 3.1.4 Defender Plan: Containers | 3 | | | |
| 💼 3.1.4.1 Ensure That Microsoft Defender for Containers Is Set To 'On' (Automated) | | | 1 | |
| 💼 3.1.4.2 Ensure that 'Agentless discovery for Kubernetes' component status 'On' (Automated) | | | 1 | |
| 💼 3.1.4.3 Ensure that 'Agentless container vulnerability assessment' component status is 'On' (Automated) | | | 1 | |
| 💼 3.1.5 Defender Plan: Storage | 1 | | | |
| 💼 3.1.5.1 Ensure That Microsoft Defender for Storage Is Set To 'On' (Automated) | | | 1 | |
| 💼 3.1.6 Defender Plan: App Service | 1 | | | |
| 💼 3.1.6.1 Ensure That Microsoft Defender for App Services Is Set To 'On' (Automated) | | | 1 | |
| 💼 3.1.7 Defender Plan: Databases | 4 | | | |
| 💼 3.1.7.1 Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' (Automated) | | | 1 | |
| 💼 3.1.7.2 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' (Automated) | | | 1 | |
| 💼 3.1.7.3 Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On' (Automated) | | | 1 | |
| 💼 3.1.7.4 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' (Automated) | | | 1 | |
| 💼 3.1.8 Defender Plan: Key Vault | 1 | | | |
| 💼 3.1.8.1 Ensure That Microsoft Defender for Key Vault Is Set To 'On' (Automated) | | | 1 | |
| 💼 3.1.9 Defender Plan: Resource Manager | 1 | | | |
| 💼 3.1.9.1 Ensure That Microsoft Defender for Resource Manager Is Set To 'On' (Automated) | | | 1 | |
| 💼 3.1.10 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' (Automated) | | | 1 | |
| 💼 3.1.11 Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' (Manual) | | | 1 | |
| 💼 3.1.12 Ensure That 'All users with the following roles' is set to 'Owner' (Automated) | | | 1 | |
| 💼 3.1.13 Ensure 'Additional email addresses' is Configured with a Security Contact Email (Automated) | | | 1 | |
| 💼 3.1.14 Ensure That 'Notify about alerts with the following severity' is Set to 'High' (Automated) | | | 1 | |
| 💼 3.1.15 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled (Manual) | | | 1 | |
| 💼 3.1.16 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On' (Automated) | | | 1 | |
| 💼 3.2 Microsoft Defender for IoT | 1 | | | |
| 💼 3.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On' (Manual) | | | 1 | |
| ���💼 3.3 Key Vault | 8 | | | |
| 💼 3.3.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults (Automated) | | | 1 | |
| 💼 3.3.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. (Automated) | | | 1 | |
| 💼 3.3.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults (Automated) | | | 1 | |
| 💼 3.3.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults (Automated) | | | 1 | |
| 💼 3.3.5 Ensure the Key Vault is Recoverable (Automated) | | | 1 | |
| 💼 3.3.6 Enable Role Based Access Control for Azure Key Vault (Automated) | | | 1 | |
| 💼 3.3.7 Ensure that Private Endpoints are Used for Azure Key Vault (Automated) | | | 1 | |
| 💼 3.3.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services (Automated) | | | 1 | |
| 💼 4 Storage Accounts | 17 | | | |
| 💼 4.1 Ensure that 'Secure transfer required' is set to 'Enabled' (Automated) | | | 1 | |
| 💼 4.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled' (Automated) | | | 1 | |
| 💼 4.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account (Manual) | | | 1 | |
| 💼 4.4 Ensure that Storage Account Access Keys are Periodically Regenerated (Manual) | | | 1 | |
| 💼 4.5 Ensure that Shared Access Signature Tokens Expire Within an Hour (Manual) | | | 1 | |
| 💼 4.6 Ensure that 'Public Network Access' is 'Disabled' for storage accounts (Automated) | | | 1 | |
| 💼 4.7 Ensure Default Network Access Rule for Storage Accounts is Set to Deny (Automated) | | | 1 | |
| 💼 4.8 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access (Automated) | | | 1 | |
| 💼 4.9 Ensure Private Endpoints are used to access Storage Accounts (Automated) | | | 1 | |
| 💼 4.10 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage (Automated) | | | 1 | |
| 💼 4.11 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK) (Manual) | | | 1 | |
| 💼 4.12 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests (Automated) | | | 1 | |
| 💼 4.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests (Automated) | | | 1 | |
| 💼 4.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests (Automated) | | | 1 | |
| 💼 4.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' (Automated) | | | 1 | |
| 💼 4.16 Ensure 'Cross Tenant Replication' is not enabled (Automated) | | | 1 | |
| 💼 4.17 Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled' (Automated) | | | 1 | |
| 💼 5 Database Services | 4 | | | |
| 💼 5.1 Azure SQL Database | 7 | | | |
| 💼 5.1.1 Ensure that 'Auditing' is set to 'On' (Automated) | | | 1 | |
| 💼 5.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) (Automated) | | | 1 | |
| 💼 5.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key (Automated) | | | 1 | |
| 💼 5.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers (Automated) | | | 1 | |
| 💼 5.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database (Automated) | | | 1 | |
| 💼 5.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days' (Automated) | | | 1 | |
| 💼 5.1.7 Ensure Public Network Access is Disabled (Manual) | | | 1 | |
| 💼 5.2 Azure Database for PostgreSQL | 8 | | | |
| 💼 5.2.1 Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server (Automated) | | | 1 | |
| 💼 5.2.2 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server (Automated) | | | 1 | |
| 💼 5.2.3 Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server (Automated) | | | 1 | |
| 💼 5.2.4 Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server (Automated) | | | 1 | |
| 💼 5.2.5 Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled (Automated) | | | 1 | |
| 💼 5.2.6 [LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server (Automated) | | | 1 | |
| 💼 5.2.7 [LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server (Automated) | | | 1 | |
| 💼 5.2.8 [LEGACY] Ensure 'Infrastructure double encryption' for PostgreSQL single server is 'Enabled' (Automated) | | | 1 | |
| 💼 5.3 Azure Database for MySQL | 4 | | | |
| 💼 5.3.1 Ensure server parameter 'require_secure_transport' is set to 'ON' for MySQL flexible server (Automated) | | | 1 | |
| 💼 5.3.2 Ensure server parameter 'tls_version' is set to 'TLSv1.2' (or higher) for MySQL flexible server (Automated) | | | 1 | |
| 💼 5.3.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible server (Automated) | | | 1 | |
| 💼 5.3.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL flexible server (Automated) | | | 1 | |
| 💼 5.4 Azure Cosmos DB | 3 | | | |
| 💼 5.4.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks (Automated) | | | 1 | |
| 💼 5.4.2 Ensure That Private Endpoints Are Used Where Possible (Automated) | | | 1 | |
| 💼 5.4.3 Use Entra ID Client Authentication and Azure RBAC where possible (Manual) | | | 1 | |
| 💼 6 Logging and Monitoring | 5 | | | |
| 💼 6.1 Configuring Diagnostic Settings | 6 | | | |
| 💼 6.1.1 Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs (Manual) | | | 1 | |
| 💼 6.1.2 Ensure Diagnostic Setting captures appropriate categories (Automated) | | | 1 | |
| 💼 6.1.3 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK) (Automated) | | | 1 | |
| 💼 6.1.4 Ensure that logging for Azure Key Vault is 'Enabled' (Automated) | | | 1 | |
| 💼 6.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics (Manual) | | | 1 | |
| 💼 6.1.6 Ensure that logging for Azure AppService 'HTTP logs' is enabled (Manual) | | | 1 | |
| 💼 6.2 Monitoring using Activity Log Alerts | 10 | | | |
| 💼 6.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment (Automated) | | | 1 | |
| 💼 6.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment (Automated) | | | 1 | |
| 💼 6.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group (Automated) | | | 1 | |
| 💼 6.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group (Automated) | | | 1 | |
| 💼 6.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution (Automated) | | | 1 | |
| 💼 6.2.6 Ensure that Activity Log Alert exists for Delete Security Solution (Automated) | | | 1 | |
| 💼 6.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule (Automated) | | | 1 | |
| 💼 6.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule (Automated) | | | 1 | |
| 💼 6.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule (Automated) | | | 1 | |
| 💼 6.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule (Automated) | | | 1 | |
| 💼 6.3 Configuring Application Insights | 1 | | | |
| 💼 6.3.1 Ensure Application Insights are Configured (Automated) | | | 1 | |
| 💼 6.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it (Manual) | | | 1 | |
| 💼 6.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) (Manual) | | | 1 | |
| 💼 7 Networking | 7 | | | |
| 💼 7.1 Ensure that RDP access from the Internet is evaluated and restricted (Automated) | | | 1 | |
| 💼 7.2 Ensure that SSH access from the Internet is evaluated and restricted (Automated) | | | 1 | |
| 💼 7.3 Ensure that UDP access from the Internet is evaluated and restricted (Automated) | | | 1 | |
| 💼 7.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted (Automated) | | | 1 | |
| 💼 7.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' (Automated) | | | 1 | |
| 💼 7.6 Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use (Automated) | | | 1 | |
| 💼 7.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis (Manual) | | | 1 | |
| 💼 8 Virtual Machines | 11 | | | |
| 💼 8.1 Ensure an Azure Bastion Host Exists (Automated) | | | 1 | |
| 💼 8.2 Ensure Virtual Machines are utilizing Managed Disks (Automated) | | | 1 | |
| 💼 8.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) (Automated) | | | 1 | |
| 💼 8.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) (Automated) | | | 1 | |
| 💼 8.5 Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks' (Automated) | | | 1 | |
| 💼 8.6 Ensure that 'Enable Data Access Authentication Mode' is 'Checked' (Automated) | | | 1 | |
| 💼 8.7 Ensure that Only Approved Extensions Are Installed (Manual) | | | 1 | |
| 💼 8.8 Ensure that Endpoint Protection for all Virtual Machines is installed (Manual) | | | 1 | |
| 💼 8.9 [Legacy] Ensure that VHDs are Encrypted (Manual) | | | 1 | |
| 💼 8.10 Ensure only MFA enabled identities can access privileged Virtual Machine (Manual) | | | 1 | |
| 💼 8.11 Ensure Trusted Launch is enabled on Virtual Machines (Automated) | | | 1 | |
| 💼 9 AppService | 12 | | | |
| 💼 9.1 Ensure 'HTTPS Only' is set to 'On' (Automated) | | | 1 | |
| 💼 9.2 Ensure App Service Authentication is set up for apps in Azure App Service (Automated) | | | 1 | |
| 💼 9.3 Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled' (Automated) | | | 1 | |
| 💼 9.4 Ensure Web App is using the latest version of TLS encryption (Automated) | | | 1 | |
| 💼 9.5 Ensure that Register with Entra ID is enabled on App Service (Automated) | | | 1 | |
| 💼 9.6 Ensure that 'Basic Authentication' is 'Disabled' (Manual) | | | 1 | |
| 💼 9.7 Ensure that 'PHP version' is currently supported (if in use) (Manual) | | | 1 | |
| 💼 9.8 Ensure that 'Python version' is currently supported (if in use) (Manual) | | | 1 | |
| 💼 9.9 Ensure that 'Java version' is currently supported (if in use) (Manual) | | | 1 | |
| 💼 9.10 Ensure that 'HTTP20enabled' is set to 'true' (if in use) (Automated) | | | 1 | |
| 💼 9.11 Ensure Azure Key Vaults are Used to Store Secrets (Manual) | | | 1 | |
| 💼 9.12 Ensure that 'Remote debugging' is set to 'Off' (Automated) | | | 1 | |
| 💼 10 Miscellaneous | 1 | | | |
| 💼 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources (Manual) | | | 1 | |