| 💼 3 Analytics Services | 1 | | | |
| 💼 3.1 Azure Databricks | 8 | | | |
| 💼 3.1.1 Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet) (Automated) | | | 1 | |
| 💼 3.1.2 Ensure that network security groups are configured for Databricks subnets (Manual) | | | 1 | |
| 💼 3.1.3 Ensure that traffic is encrypted between cluster worker nodes (Manual) | | | 1 | |
| 💼 3.1.4 Ensure that users and groups are synced from Microsoft Entra ID to Azure Databricks (Manual) | | | 1 | |
| 💼 3.1.5 Ensure that Unity Catalog is configured for Azure Databricks (Manual) | | | 1 | |
| 💼 3.1.6 Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens (Manual) | | | 1 | |
| 💼 3.1.7 Ensure that diagnostic log delivery is configured for Azure Databricks (Manual) | | | 1 | |
| 💼 3.1.8 Ensure that data at rest and in transit is encrypted in Azure Databricks using customer managed keys (CMK) (Automated) | | | 1 | |
| 💼 4 Compute Services | 1 | | | |
| 💼 4.1 Virtual Machines | 1 | | | |
| 💼 4.1.1 Ensure only MFA enabled identities can access privileged Virtual Machine (Manual) | | | 1 | |
| 💼 5 Database Services (reference) | | | | |
| 💼 6 Identity Services | 26 | | | |
| 💼 6.1 Security Defaults (Per-User MFA) | 3 | | | |
| 💼 6.1.1 Ensure that 'security defaults' is enabled in Microsoft Entra ID (Manual) | | | 1 | |
| 💼 6.1.2 Ensure that 'multifactor authentication' is 'enabled' for all users (Manual) | | | 1 | |
| 💼 6.1.3 Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled (Manual) | | | 1 | |
| 💼 6.2 Conditional Access | 7 | | | |
| 💼 6.2.1 Ensure that 'trusted locations' are defined (Manual) | | | 1 | |
| 💼 6.2.2 Ensure that an exclusionary geographic Conditional Access policy is considered (Manual) | | | 1 | |
| 💼 6.2.3 Ensure that an exclusionary device code flow policy is considered (Manual) | | | 1 | |
| 💼 6.2.4 Ensure that a multifactor authentication policy exists for all users (Manual) | | | 1 | |
| 💼 6.2.5 Ensure that multifactor authentication is required for risky sign-ins (Manual) | | | 1 | |
| 💼 6.2.6 Ensure that multifactor authentication is required for Windows Azure Service Management API (Manual) | | | 1 | |
| 💼 6.2.7 Ensure that multifactor authentication is required to access Microsoft Admin Portals (Manual) | | | 1 | |
| 💼 6.3 Periodic Identity Reviews | 4 | | | |
| 💼 6.3.1 Ensure that Azure admin accounts are not used for daily operations (Manual) | | | 1 | |
| 💼 6.3.2 Ensure that guest users are reviewed on a regular basis (Manual) | | | 1 | |
| 💼 6.3.3 Ensure that use of the 'User Access Administrator' role is restricted (Automated) | | | 1 | |
| 💼 6.3.4 Ensure that all 'privileged' role assignments are periodically reviewed (Manual) | | | 1 | |
| 💼 6.4 Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' (Automated) | | | 1 | |
| 💼 6.5 Ensure that 'Number of methods required to reset' is set to '2' (Manual) | | | 1 | |
| 💼 6.6 Ensure that account 'Lockout threshold' is less than or equal to '10' (Manual) | | | 1 | |
| 💼 6.7 Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' (Manual) | | | 1 | |
| 💼 6.8 Ensure that a 'Custom banned password list' is set to 'Enforce' (Manual) | | | 1 | |
| 💼 6.9 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' (Manual) | | | 1 | |
| 💼 6.10 Ensure that 'Notify users on password resets?' is set to 'Yes' (Manual) | | | 1 | |
| 💼 6.11 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Manual) | | | 1 | |
| 💼 6.12 Ensure that 'User consent for applications' is set to 'Do not allow user consent' (Manual) | | | 1 | |
| 💼 6.13 Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions' (Manual) | | | 1 | |
| 💼 6.14 Ensure that 'Users can register applications' is set to 'No' (Automated) | | | 1 | |
| 💼 6.15 Ensure that 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' (Automated) | | | 1 | |
| 💼 6.16 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' (Automated) | | | 1 | |
| 💼 6.17 Ensure that 'Restrict access to Microsoft Entra admin center' is set to 'Yes' (Manual) | | | 1 | |
| 💼 6.18 Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes' (Manual) | | | 1 | |
| 💼 6.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' (Manual) | | | 1 | |
| 💼 6.20 Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' (Manual) | | | 1 | |
| 💼 6.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' (Manual) | | | 1 | |
| 💼 6.22 Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' (Manual) | | | 1 | |
| 💼 6.23 Ensure that no custom subscription administrator roles exist (Automated) | | | 1 | |
| 💼 6.24 Ensure that a custom role is assigned permissions for administering resource locks (Manual) | | | 1 | |
| 💼 6.25 Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one' (Manual) | | | 1 | |
| 💼 6.26 Ensure fewer than 5 users have global administrator assignment (Manual) | | | 1 | |
| 💼 7 Management and Governance Services | 2 | | | |
| 💼 7.1 Logging and Monitoring | 5 | | | |
| 💼 7.1.1 Configuring Diagnostic Settings | 10 | | | |
| 💼 7.1.1.1 Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs (Manual) | | | 1 | |
| 💼 7.1.1.2 Ensure Diagnostic Setting captures appropriate categories (Automated) | | | 1 | |
| 💼 7.1.1.3 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK) (Automated) | | | 1 | |
| 💼 7.1.1.4 Ensure that logging for Azure Key Vault is 'Enabled' (Automated) | | | 1 | |
| 💼 7.1.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics (Manual) | | | 1 | |
| 💼 7.1.1.6 Ensure that logging for Azure AppService 'HTTP logs' is enabled (Automated) | | | 1 | |
| 💼 7.1.1.7 Ensure that virtual network flow logs are captured and sent to Log Analytics (Manual) | | | 1 | |
| 💼 7.1.1.8 Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination (Manual) | | | 1 | |
| 💼 7.1.1.9 Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination (Manual) | | | 1 | |
| 💼 7.1.1.10 Ensure that Intune logs are captured and sent to Log Analytics (Manual) | | | 1 | |
| 💼 7.1.2 Monitoring using Activity Log Alerts | 11 | | | |
| 💼 7.1.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment (Automated) | | | 1 | |
| 💼 7.1.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment (Automated) | | | 1 | |
| 💼 7.1.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group (Automated) | | | 1 | |
| 💼 7.1.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group (Automated) | | | 1 | |
| 💼 7.1.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution (Automated) | | | 1 | |
| 💼 7.1.2.6 Ensure that Activity Log Alert exists for Delete Security Solution (Automated) | | | 1 | |
| 💼 7.1.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule (Automated) | | | 1 | |
| 💼 7.1.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule (Automated) | | | 1 | |
| 💼 7.1.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule (Automated) | | | 1 | |
| 💼 7.1.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule (Automated) | | | 1 | |
| 💼 7.1.2.11 Ensure that an Activity Log Alert exists for Service Health (Automated) | | | 1 | |
| 💼 7.1.3 Configuring Application Insights | 1 | | | |
| 💼 7.1.3.1 Ensure Application Insights are Configured (Automated) | | | 1 | |
| 💼 7.1.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it (Manual) | | | 1 | |
| 💼 7.1.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) (Manual) | | | 1 | |
| 💼 7.2 Ensure that Resource Locks are set for Mission-Critical Azure Resources (Manual) | | | 1 | |
| 💼 8 Networking Services | 8 | | | |
| 💼 8.1 Ensure that RDP access from the Internet is evaluated and restricted (Automated) | | | 1 | |
| 💼 8.2 Ensure that SSH access from the Internet is evaluated and restricted (Automated) | | | 1 | |
| 💼 8.3 Ensure that UDP access from the Internet is evaluated and restricted (Automated) | | | 1 | |
| 💼 8.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted (Automated) | | | 1 | |
| 💼 8.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' (Automated) | | | 1 | |
| 💼 8.6 Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use (Automated) | | | 1 | |
| 💼 8.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis (Manual) | | | 1 | |
| 💼 8.8 Ensure that virtual network flow log retention days is set to greater than or equal to 90 (Automated) | | | 1 | |
| 💼 9 Security Services | 4 | | | |
| 💼 9.1 Microsoft Defender for Cloud | 17 | | | |
| 💼 9.1.1 Microsoft Cloud Security Posture Management (CSPM) | | | | |
| 💼 9.1.2 Defender Plan: APIs | | | | |
| 💼 9.1.3 Defender Plan: Servers | 5 | | | |
| 💼 9.1.3.1 Ensure that Defender for Servers is set to 'On' (Automated) | | | 1 | |
| 💼 9.1.3.2 Ensure that 'Vulnerability assessment for machines' component status is set to 'On' (Manual) | | | 1 | |
| 💼 9.1.3.3 Ensure that 'Endpoint protection' component status is set to 'On' (Manual) | | | 1 | |
| 💼 9.1.3.4 Ensure that 'Agentless scanning for machines' component status is set to 'On' (Manual) | | | 1 | |
| 💼 9.1.3.5 Ensure that 'File Integrity Monitoring' component status is set to 'On' (Manual) | | | 1 | |
| 💼 9.1.4 Defender Plan: Containers | 1 | | | |
| 💼 9.1.4.1 Ensure That Microsoft Defender for Containers Is Set To 'On' (Automated) | | | 1 | |
| 💼 9.1.5 Defender Plan: Storage | 1 | | | |
| 💼 9.1.5.1 Ensure That Microsoft Defender for Storage Is Set To 'On' (Automated) | | | 1 | |
| 💼 9.1.6 Defender Plan: App Service | 1 | | | |
| 💼 9.1.6.1 Ensure That Microsoft Defender for App Services Is Set To 'On' (Automated) | | | 1 | |
| 💼 9.1.7 Defender Plan: Databases | 4 | | | |
| 💼 9.1.7.1 Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' (Automated) | | | 1 | |
| 💼 9.1.7.2 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' (Automated) | | | 1 | |
| 💼 9.1.7.3 Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On' (Automated) | | | 1 | |
| 💼 9.1.7.4 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' (Automated) | | | 1 | |
| 💼 9.1.8 Defender Plan: Key Vault | 1 | | | |
| 💼 9.1.8.1 Ensure That Microsoft Defender for Key Vault Is Set To 'On' (Automated) | | | 1 | |
| 💼 9.1.9 Defender Plan: Resource Manager | 1 | | | |
| 💼 9.1.9.1 Ensure That Microsoft Defender for Resource Manager Is Set To 'On' (Automated) | | | 1 | |
| 💼 9.1.10 Ensure that Microsoft Defender for Cloud is configured to check VM operating systems for updates (Automated) | | | 1 | |
| 💼 9.1.11 Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' (Manual) | | | 1 | |
| 💼 9.1.12 Ensure That 'All users with the following roles' is set to 'Owner' (Automated) | | | 1 | |
| 💼 9.1.13 Ensure 'Additional email addresses' is Configured with a Security Contact Email (Automated) | | | 1 | |
| 💼 9.1.14 Ensure that 'Notify about alerts with the following severity (or higher)' is enabled (Automated) | | | 1 | |
| 💼 9.1.15 Ensure that 'Notify about attack paths with the following risk level (or higher)' is enabled (Automated) | | | 1 | |
| 💼 9.1.16 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled (Manual) | | | 1 | |
| 💼 9.1.17 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On' (Automated) | | | | |
| 💼 9.2 Microsoft Defender for IoT | 1 | | | |
| 💼 9.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On' (Manual) | | | 1 | |
| 💼 9.3 Key Vault | 10 | | | |
| 💼 9.3.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults (Automated) | | | 1 | |
| 💼 9.3.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. (Automated) | | | 1 | |
| 💼 9.3.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults (Automated) | | | 1 | |
| 💼 9.3.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults (Automated) | | | 1 | |
| 💼 9.3.5 Ensure the Key Vault is Recoverable (Automated) | | | 1 | |
| 💼 9.3.6 Ensure that Role Based Access Control for Azure Key Vault is enabled (Automated) | | | 1 | |
| 💼 9.3.7 Ensure that Public Network Access when using Private Endpoint is disabled (Automated) | | | 1 | |
| 💼 9.3.8 Ensure that Private Endpoints are Used for Azure Key Vault (Automated) | | | 1 | |
| 💼 9.3.9 Ensure automatic key rotation is enabled within Azure Key Vault (Automated) | | | 1 | |
| 💼 9.3.10 Ensure that Azure Key Vault Managed HSM is used when required (Manual) | | | 1 | |
| 💼 9.4 Azure Bastion | 1 | | | |
| 💼 9.4.1 Ensure an Azure Bastion Host Exists (Automated) | | | 1 | |
| 💼 10 Storage Services | 3 | | | |
| 💼 10.1 Azure Files | 3 | | | |
| 💼 10.1.1 Ensure soft delete for Azure File Shares is Enabled (Automated) | | | 1 | |
| 💼 10.1.2 Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file shares (Automated) | | | 1 | |
| 💼 10.1.3 Ensure 'SMB channel encryption' is set to 'AES-256-GCM' or higher for SMB file shares (Automated) | | | 1 | |
| 💼 10.2 Azure Blob Storage | 2 | | | |
| 💼 10.2.1 Ensure that soft delete for blobs on Azure Blob Storage storage accounts is Enabled (Automated) | | | 1 | |
| 💼 10.2.2 Ensure 'Versioning' is set to 'Enabled' on Azure Blob Storage storage accounts (Automated) | | | 1 | |
| 💼 10.3 Storage Accounts | 12 | | | |
| 💼 10.3.1 Secrets and Keys | 3 | | | |
| 💼 10.3.1.1 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account (Manual) | | | 1 | |
| 💼 10.3.1.2 Ensure that Storage Account access keys are periodically regenerated (Manual) | | | 1 | |
| 💼 10.3.1.3 Ensure 'Allow storage account key access' for Azure Storage Accounts is 'Disabled' (Automated) | | | 1 | |
| 💼 10.3.2 Networking | 3 | | | |
| 💼 10.3.2.1 Ensure Private Endpoints are used to access Storage Accounts (Automated) | | | 1 | |
| 💼 10.3.2.2 Ensure that 'Public Network Access' is 'Disabled' for storage accounts (Automated) | | | 1 | |
| 💼 10.3.2.3 Ensure default network access rule for storage accounts is set to deny (Automated) | | | 1 | |
| 💼 10.3.3 Identity and Access Management | 1 | | | |
| 💼 10.3.3.1 Ensure that 'Default to Microsoft Entra authorization in the Azure portal' is set to 'Enabled' (Automated) | | | 1 | |
| 💼 10.3.4 Ensure that 'Secure transfer required' is set to 'Enabled' (Automated) | | | 1 | |
| 💼 10.3.5 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access (Automated) | | | 1 | |
| 💼 10.3.6 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage (Automated) | | | 1 | |
| 💼 10.3.7 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' (Automated) | | | 1 | |
| 💼 10.3.8 Ensure 'Cross Tenant Replication' is not enabled (Automated) | | | 1 | |
| 💼 10.3.9 Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled' (Automated) | | | 1 | |
| 💼 10.3.10 Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts (Manual) | | | 1 | |
| 💼 10.3.11 Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts (Manual) | | | 1 | |
| 💼 10.3.12 Ensure Redundancy is set to 'geo-redundant storage (GRS)' on critical Azure Storage Accounts (Automated) | | | 1 | |