| 💼 9.1 Microsoft Defender for Cloud | 17 | | | |
| 💼 9.1.1 Microsoft Cloud Security Posture Management (CSPM) | | | | |
| 💼 9.1.2 Defender Plan: APIs | | | | |
| 💼 9.1.3 Defender Plan: Servers | 5 | | | |
| 💼 9.1.3.1 Ensure that Defender for Servers is set to 'On' (Automated) | | | 1 | |
| 💼 9.1.3.2 Ensure that 'Vulnerability assessment for machines' component status is set to 'On' (Manual) | | | 1 | |
| 💼 9.1.3.3 Ensure that 'Endpoint protection' component status is set to 'On' (Manual) | | | 1 | |
| 💼 9.1.3.4 Ensure that 'Agentless scanning for machines' component status is set to 'On' (Manual) | | | 1 | |
| 💼 9.1.3.5 Ensure that 'File Integrity Monitoring' component status is set to 'On' (Manual) | | | 1 | |
| 💼 9.1.4 Defender Plan: Containers | 1 | | | |
| 💼 9.1.4.1 Ensure That Microsoft Defender for Containers Is Set To 'On' (Automated) | | | 1 | |
| 💼 9.1.5 Defender Plan: Storage | 1 | | | |
| 💼 9.1.5.1 Ensure That Microsoft Defender for Storage Is Set To 'On' (Automated) | | | 1 | |
| 💼 9.1.6 Defender Plan: App Service | 1 | | | |
| 💼 9.1.6.1 Ensure That Microsoft Defender for App Services Is Set To 'On' (Automated) | | | 1 | |
| 💼 9.1.7 Defender Plan: Databases | 4 | | | |
| 💼 9.1.7.1 Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' (Automated) | | | 1 | |
| 💼 9.1.7.2 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' (Automated) | | | 1 | |
| 💼 9.1.7.3 Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On' (Automated) | | | 1 | |
| 💼 9.1.7.4 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' (Automated) | | | 1 | |
| 💼 9.1.8 Defender Plan: Key Vault | 1 | | | |
| 💼 9.1.8.1 Ensure That Microsoft Defender for Key Vault Is Set To 'On' (Automated) | | | 1 | |
| 💼 9.1.9 Defender Plan: Resource Manager | 1 | | | |
| 💼 9.1.9.1 Ensure That Microsoft Defender for Resource Manager Is Set To 'On' (Automated) | | | 1 | |
| 💼 9.1.10 Ensure that Microsoft Defender for Cloud is configured to check VM operating systems for updates (Automated) | | | 1 | |
| 💼 9.1.11 Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' (Manual) | | | 1 | |
| 💼 9.1.12 Ensure That 'All users with the following roles' is set to 'Owner' (Automated) | | | 1 | |
| 💼 9.1.13 Ensure 'Additional email addresses' is Configured with a Security Contact Email (Automated) | | | 1 | |
| 💼 9.1.14 Ensure that 'Notify about alerts with the following severity (or higher)' is enabled (Automated) | | | 1 | |
| 💼 9.1.15 Ensure that 'Notify about attack paths with the following risk level (or higher)' is enabled (Automated) | | | 1 | |
| 💼 9.1.16 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled (Manual) | | | 1 | |
| 💼 9.1.17 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On' (Automated) | | | | |
| 💼 9.2 Microsoft Defender for IoT | 1 | | | |
| 💼 9.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On' (Manual) | | | 1 | |
| 💼 9.3 Key Vault | 10 | | | |
| 💼 9.3.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults (Automated) | | | 1 | |
| 💼 9.3.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. (Automated) | | | 1 | |
| 💼 9.3.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults (Automated) | | | 1 | |
| 💼 9.3.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults (Automated) | | | 1 | |
| 💼 9.3.5 Ensure the Key Vault is Recoverable (Automated) | | | 1 | |
| 💼 9.3.6 Ensure that Role Based Access Control for Azure Key Vault is enabled (Automated) | | | 1 | |
| 💼 9.3.7 Ensure that Public Network Access when using Private Endpoint is disabled (Automated) | | | 1 | |
| 💼 9.3.8 Ensure that Private Endpoints are Used for Azure Key Vault (Automated) | | | 1 | |
| 💼 9.3.9 Ensure automatic key rotation is enabled within Azure Key Vault (Automated) | | | 1 | |
| 💼 9.3.10 Ensure that Azure Key Vault Managed HSM is used when required (Manual) | | | 1 | |
| 💼 9.4 Azure Bastion | 1 | | | |
| 💼 9.4.1 Ensure an Azure Bastion Host Exists (Automated) | | | 1 | |