| 💼 2 Analytics Services | 1 | | 12 | | no data |
|  💼 2.1 Azure Databricks | 12 | | 12 | | no data |
|   💼 2.1.1 Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet) (Automated) | | | 1 | | no data |
|   💼 2.1.2 Ensure that Network Security Groups are Configured for Databricks Subnets (Automated) | | | 1 | | no data |
|   💼 2.1.3 Ensure that Traffic is Encrypted Between Cluster Worker Nodes (Manual) | | | 1 | | no data |
|   💼 2.1.4 Ensure that Users and Groups are Synced from Microsoft Entra ID to Azure Databricks (Manual) | | | 1 | | no data |
|   💼 2.1.5 Ensure that Unity Catalog is Configured for Azure Databricks (Manual) | | | 1 | | no data |
|   💼 2.1.6 Ensure that Usage is Restricted and Expiry is Enforced for Databricks Personal Access Tokens (Manual) | | | 1 | | no data |
|   💼 2.1.7 Ensure that Diagnostic Log Delivery is Configured for Azure Databricks (Automated) | | | 1 | | no data |
|   💼 2.1.8 Ensure Critical Data in Azure Databricks is Encrypted with Customer-managed Keys (CMK) (Manual) | | | 1 | | no data |
|   💼 2.1.9 Ensure 'No Public IP' is Set to 'Enabled' (Automated) | | | 1 | | no data |
|   💼 2.1.10 Ensure 'Allow Public Network Access' is set to 'Disabled' (Automated) | | | 1 | | no data |
|   💼 2.1.11 Ensure Private Endpoints are used to access Azure Databricks workspaces (Automated) | | | 1 | | no data |
|   💼 2.1.12 Ensure Azure Databricks groups are reviewed periodically (Manual) | | | 1 | | no data |
| 💼 3 Compute Services | 1 | | 1 | | no data |
|  💼 3.1 Virtual Machines | 1 | | 1 | | no data |
|   💼 3.1.1 Ensure only MFA Enabled Identities can Access Privileged Virtual Machine (Manual) | | | 1 | | no data |
| 💼 4 Database Services (reference) | | | | | no data |
| 💼 5 Identity Services | 7 | | 15 | | no data |
|  💼 5.1 Security Defaults (Per-User MFA) | 4 | | 4 | | no data |
|   💼 5.1.1 Ensure that 'security defaults' is Enabled in Microsoft Entra ID (Automated) | | | 1 | | no data |
|   💼 5.1.2 Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' (Manual) | | | 1 | | no data |
|   💼 5.1.3 Ensure that 'multifactor authentication' is 'enabled' For All Users (Automated) | | | 1 | | no data |
|   💼 5.1.4 Ensure that 'Allow users to remember multifactor authentication on devices they trust' is Disabled (Manual) | | | 1 | | no data |
|  💼 5.2 Conditional Access (reference) | | | | | no data |
|  💼 5.3 Periodic Identity Reviews | 7 | | 7 | | no data |
|   💼 5.3.1 Ensure that Azure Admin Accounts Are Not Used for Daily Operations (Manual) | | | 1 | | no data |
|   💼 5.3.2 Ensure that Guest Users are Reviewed on a Regular Basis (Manual) | | | 1 | | no data |
|   💼 5.3.3 Ensure That Use of the 'User Access Administrator' Role is Restricted (Automated) | | | 1 | | no data |
|   💼 5.3.4 Ensure that All 'Privileged' Role Assignments are Periodically Reviewed (Manual) | | | 1 | | no data |
|   💼 5.3.5 Ensure Disabled User Accounts do not Have Read, Write, or Owner Permissions (Manual) | | | 1 | | no data |
|   💼 5.3.6 Ensure 'Tenant Creator' Role Assignments are Periodically Reviewed (Manual) | | | 1 | | no data |
|   💼 5.3.7 Ensure All Non-privileged Role Assignments are Periodically Reviewed (Manual) | | | 1 | | no data |
|  💼 5.4 Ensure that No Custom Subscription Administrator Roles Exist (Automated) | | | 1 | | no data |
|  💼 5.5 Ensure that a Custom Role is Assigned Permissions for Administering Resource Locks (Manual) | | | 1 | | no data |
|  💼 5.6 Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one' (Manual) | | | 1 | | no data |
|  💼 5.7 Ensure there are between 2 and 3 Subscription Owners (Automated) | | | 1 | | no data |
| 💼 6 Management and Governance Services | 2 | | 24 | | no data |
|  💼 6.1 Logging and Monitoring | 5 | | 23 | | no data |
|   💼 6.1.1 Configuring Diagnostic Settings | 9 | | 9 | | no data |
|    💼 6.1.1.1 Ensure that a 'Diagnostic Setting' Exists for Subscription Activity Logs (Automated) | | | 1 | | no data |
|    💼 6.1.1.2 Ensure Diagnostic Setting Captures Appropriate Categories (Automated) | | | 1 | | no data |
|    💼 6.1.1.3 Ensure the Storage Account Containing the Container with Activity Logs is Encrypted with Customer-managed Key (CMK) (Manual) | | | 1 | | no data |
|    💼 6.1.1.4 Ensure that Logging for Azure Key Vault is 'Enabled' (Automated) | | | 1 | | no data |
|    💼 6.1.1.5 Ensure that Network Security Group Flow Logs are Captured and Sent to Log Analytics (Manual) | | | 1 | | no data |
|    💼 6.1.1.6 Ensure that Virtual Network Flow Logs are Captured and Sent to Log Analytics (Manual) | | | 1 | | no data |
|    💼 6.1.1.7 Ensure that a Microsoft Entra Diagnostic Setting Exists to Send Microsoft Graph Activity Logs to an Appropriate Destination (Manual) | | | 1 | | no data |
|    💼 6.1.1.8 Ensure that a Microsoft Entra Diagnostic Setting Exists to Send Microsoft Entra Activity Logs to an Appropriate Destination (Manual) | | | 1 | | no data |
|    💼 6.1.1.9 Ensure that Intune Logs are Captured and Sent to Log Analytics (Manual) | | | 1 | | no data |
|   💼 6.1.2 Monitoring Using Activity Log Alerts | 11 | | 11 | | no data |
|    💼 6.1.2.1 Ensure that Activity Log Alert Exists for Create Policy Assignment (Automated) | | | 1 | | no data |
|    💼 6.1.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment (Automated) | | | 1 | | no data |
|    💼 6.1.2.3 Ensure that Activity Log Alert Exists for Create or Update Network Security Group (Automated) | | | 1 | | no data |
|    💼 6.1.2.4 Ensure that Activity Log Alert Exists for Delete Network Security Group (Automated) | | | 1 | | no data |
|    💼 6.1.2.5 Ensure that Activity Log Alert Exists for Create or Update Security Solution (Automated) | | | 1 | | no data |
|    💼 6.1.2.6 Ensure that Activity Log Alert Exists for Delete Security Solution (Automated) | | | 1 | | no data |
|    💼 6.1.2.7 Ensure that Activity Log Alert Exists for Create or Update SQL Server Firewall Rule (Automated) | | | 1 | | no data |
|    💼 6.1.2.8 Ensure that Activity Log Alert Exists for Delete SQL Server Firewall Rule (Automated) | | | 1 | | no data |
|    💼 6.1.2.9 Ensure that Activity Log Alert Exists for Create or Update Public IP Address rule (Automated) | | | 1 | | no data |
|    💼 6.1.2.10 Ensure that Activity Log Alert Exists for Delete Public IP Address rule (Automated) | | | 1 | | no data |
|    💼 6.1.2.11 Ensure that an Activity Log Alert Exists for Service Health (Automated) | | | 1 | | no data |
|   💼 6.1.3 Configuring Application Insights | 1 | | 1 | | no data |
|    💼 6.1.3.1 Ensure Application Insights are Configured (Automated) | | | 1 | | no data |
|   💼 6.1.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it (Manual) | | | 1 | | no data |
|   💼 6.1.5 Ensure Basic, Free, and Consumption SKUs are not used on Production artifacts requiring monitoring and SLA (Manual) | | | 1 | | no data |
|  💼 6.2 Ensure that Resource Locks are set for Mission-Critical Azure Resources (Manual) | | | 1 | | no data |
| 💼 7 Networking Services | 16 | | 16 | | no data |
|  💼 7.1 Ensure that RDP Access from the Internet is Evaluated and Restricted (Automated) | | | 1 | | no data |
|  💼 7.2 Ensure that SSH Access from the Internet is Evaluated and Restricted (Automated) | | | 1 | | no data |
|  💼 7.3 Ensure that UDP Port Access from the Internet is Evaluated and Restricted (Automated) | | | 1 | | no data |
|  💼 7.4 Ensure that HTTP(S) Access from the Internet is Evaluated and Restricted (Automated) | | | 1 | | no data |
|  💼 7.5 Ensure that Network Security Group Flow Log Retention Days is Set to Greater than or equal to 90 (Automated) | | | 1 | | no data |
|  💼 7.6 Ensure that Network Watcher is 'Enabled' for Azure Regions That are in Use (Automated) | | | 1 | | no data |
|  💼 7.7 Ensure that Public IP Addresses are Evaluated on a Periodic Basis (Manual) | | | 1 | | no data |
|  💼 7.8 Ensure that Virtual Network Flow Log Retention Days is Set to Greater than or Equal to 90 (Automated) | | | 1 | | no data |
|  💼 7.9 Ensure 'Authentication type' is Set to 'Azure Active Directory' only for Azure VPN Gateway Point-to-Site Configuration (Automated) | | | 1 | | no data |
|  💼 7.10 Ensure Azure Web Application Firewall (WAF) is Enabled on Azure Application Gateway (Automated) | | | 1 | | no data |
|  💼 7.11 Ensure Subnets Are Associated with Network Security Groups (Automated) | | | 1 | | no data |
|  💼 7.12 Ensure the SSL Policy's 'Min protocol version' is Set to 'TLSv1_2' or Higher on Azure Application Gateway (Automated) | | | 1 | | no data |
|  💼 7.13 Ensure 'HTTP2' is Set to 'Enabled' on Azure Application Gateway (Automated) | | | 1 | | no data |
|  💼 7.14 Ensure Request Body Inspection is Enabled in Azure Web Application Firewall policy on Azure Application Gateway (Automated) | | | 1 | | no data |
|  💼 7.15 Ensure Bot Protection is Enabled in Azure Web Application Firewall Policy on Azure Application Gateway (Automated) | | | 1 | | no data |
|  💼 7.16 Ensure Azure Network Security Perimeter is Used to Secure Azure Platform-as-a-service Resources (Manual) | | | 1 | | no data |
| 💼 8 Security Services | 5 | | 38 | | no data |
|  💼 8.1 Microsoft Defender for Cloud | 16 | | 24 | | no data |
|   💼 8.1.1 Microsoft Cloud Security Posture Management (CSPM) | 1 | | 1 | | no data |
|    💼 8.1.1.1 Ensure Microsoft Defender CSPM is Set to 'On' (Automated) | | | 1 | | no data |
|   💼 8.1.2 Defender Plan: APIs | 1 | | 1 | | no data |
|    💼 8.1.2.1 Ensure Microsoft Defender for APIs is Set to 'On' (Automated) | | | 1 | | no data |
|   💼 8.1.3 Defender Plan: Servers | 5 | | 5 | | no data |
|    💼 8.1.3.1 Ensure that Defender for Servers is Set to 'On' (Automated) | | | 1 | | no data |
|    💼 8.1.3.2 Ensure that 'Vulnerability assessment for machines' Component Status is set to 'On' (Manual) | | | 1 | | no data |
|    💼 8.1.3.3 Ensure that 'Endpoint protection' Component Status is set to 'On' (Automated) | | | 1 | | no data |
|    💼 8.1.3.4 Ensure that 'Agentless scanning for machines' Component Status is Set to 'On' (Manual) | | | 1 | | no data |
|    💼 8.1.3.5 Ensure that 'File Integrity Monitoring' Component Status is Set to 'On' (Manual) | | | 1 | | no data |
|   💼 8.1.4 Defender Plan: Containers | 1 | | 1 | | no data |
|    💼 8.1.4.1 Ensure That Microsoft Defender for Containers Is Set To 'On' (Automated) | | | 1 | | no data |
|   💼 8.1.5 Defender Plan: Storage | 2 | | 2 | | no data |
|    💼 8.1.5.1 Ensure That Microsoft Defender for Storage Is Set To 'On' (Automated) | | | 1 | | no data |
|    💼 8.1.5.2 Ensure Advanced Threat Protection Alerts for Storage Accounts Are Monitored (Manual) | | | 1 | | no data |
|   💼 8.1.6 Defender Plan: App Service | 1 | | 1 | | no data |
|    💼 8.1.6.1 Ensure That Microsoft Defender for App Services Is Set To 'On' (Automated) | | | 1 | | no data |
|   💼 8.1.7 Defender Plan: Databases | 4 | | 4 | | no data |
|    💼 8.1.7.1 Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' (Automated) | | | 1 | | no data |
|    💼 8.1.7.2 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' (Automated) | | | 1 | | no data |
|    💼 8.1.7.3 Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On' (Automated) | | | 1 | | no data |
|    💼 8.1.7.4 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' (Automated) | | | 1 | | no data |
|   💼 8.1.8 Defender Plan: Key Vault | 1 | | 1 | | no data |
|    💼 8.1.8.1 Ensure That Microsoft Defender for Key Vault Is Set To 'On' (Automated) | | | 1 | | no data |
|   💼 8.1.9 Defender Plan: Resource Manager | 1 | | 1 | | no data |
|    💼 8.1.9.1 Ensure That Microsoft Defender for Resource Manager Is Set To 'On' (Automated) | | | 1 | | no data |
|   💼 8.1.10 Ensure that Microsoft Defender for Cloud is Configured to Check VM Operating Systems for Updates (Automated) | | | 1 | | no data |
|   💼 8.1.11 Ensure that non-deprecated Microsoft Cloud Security Benchmark policies are not set to 'Disabled' (Manual) | | | 1 | | no data |
|   💼 8.1.12 Ensure That 'All users with the following roles' is Set to 'Owner' (Automated) | | | 1 | | no data |
|   💼 8.1.13 Ensure 'Additional email addresses' is Configured with a Security Contact Email (Automated) | | | 1 | | no data |
|   💼 8.1.14 Ensure that 'Notify about alerts with the following severity (or higher)' is Enabled (Automated) | | | 1 | | no data |
|   💼 8.1.15 Ensure that 'Notify about attack paths with the following risk level (or higher)' is Enabled (Automated) | | | 1 | | no data |
|   💼 8.1.16 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is Enabled (Manual) | | | 1 | | no data |
|  💼 8.2 Microsoft Defender for IoT | 1 | | 1 | | no data |
|   💼 8.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On' (Manual) | | | 1 | | no data |
|  💼 8.3 Key Vault | 11 | | 11 | | no data |
|   💼 8.3.1 Ensure that the Expiration Date is Set for all Keys in Key Vaults using RBAC (Automated) | | | 1 | | no data |
|   💼 8.3.2 Ensure that the Expiration Date is set for All Keys in Key Vaults using access policies (legacy) (Automated) | | | 1 | | no data |
|   💼 8.3.3 Ensure that the Expiration Date is set for All Secrets in Key Vaults using RBAC (Automated) | | | 1 | | no data |
|   💼 8.3.4 Ensure that the Expiration Date is set for All Secrets in Key Vaults using access policies (legacy) (Automated) | | | 1 | | no data |
|   💼 8.3.5 Ensure 'Purge protection' is Set to 'Enabled' (Automated) | | | 1 | | no data |
|   💼 8.3.6 Ensure that Role Based Access Control for Azure Key Vault is Enabled (Automated) | | | 1 | | no data |
|   💼 8.3.7 Ensure Public Network Access is Disabled (Automated) | | | 1 | | no data |
|   💼 8.3.8 Ensure Private Endpoints are Used to Access Azure Key Vault (Automated) | | | 1 | | no data |
|   💼 8.3.9 Ensure Automatic Key Rotation is Enabled within Azure Key Vault (Automated) | | | 1 | | no data |
|   💼 8.3.10 Ensure that Azure Key Vault Managed HSM is Used when Required (Manual) | | | 1 | | no data |
|   💼 8.3.11 Ensure Certificate 'Validity Period (in months)' is Less Than or Equal to '12' (Automated) | | | 1 | | no data |
|  💼 8.4 Azure Bastion | 1 | | 1 | | no data |
|   💼 8.4.1 Ensure an Azure Bastion Host Exists (Automated) | | | 1 | | no data |
|  💼 8.5 Ensure Azure DDoS Network Protection is Enabled on Virtual Networks (Automated) | | | 1 | | no data |
| 💼 9 Storage Services | 3 | | 21 | | no data |
|  💼 9.1 Azure Files | 3 | | 3 | | no data |
|   💼 9.1.1 Ensure Soft Delete for Azure File Shares is Enabled (Automated) | | | 1 | | no data |
|   💼 9.1.2 Ensure 'SMB protocol version' is Set to 'SMB 3.1.1' or Higher for SMB file shares (Automated) | | | 1 | | no data |
|   💼 9.1.3 Ensure 'SMB channel encryption' is Set to 'AES-256-GCM' or Higher for SMB file shares (Automated) | | | 1 | | no data |
|  💼 9.2 Azure Blob Storage | 3 | | 3 | | no data |
|   💼 9.2.1 Ensure That Soft Delete for Blobs on Azure Blob Storage Storage Accounts is Enabled (Automated) | | | 1 | | no data |
|   💼 9.2.2 Ensure that Soft Delete for Containers on Azure Blob Storage Storage Accounts is Enabled (Automated) | | | 1 | | no data |
|   💼 9.2.3 Ensure 'Versioning' is Set to 'Enabled' on Azure Blob Storage Storage Accounts (Automated) | | | 1 | | no data |
|  💼 9.3 Storage Accounts | 11 | | 15 | | no data |
|   💼 9.3.1 Secrets and Keys | 3 | | 3 | | no data |
|    💼 9.3.1.1 Ensure That 'Enable key rotation reminders' is Enabled for Each Storage Account (Automated) | | | 1 | | no data |
|    💼 9.3.1.2 Ensure That Storage Account Access keys are Periodically Regenerated (Automated) | | | 1 | | no data |
|    💼 9.3.1.3 Ensure 'Allow storage account key access' for Azure Storage Accounts is 'Disabled' (Automated) | | | 1 | | no data |
|   💼 9.3.2 Networking | 3 | | 3 | | no data |
|    💼 9.3.2.1 Ensure Private Endpoints are Used to Access Storage Accounts (Automated) | | | 1 | | no data |
|    💼 9.3.2.2 Ensure that 'Public Network Access' is 'Disabled' for Storage Accounts (Automated) | | | 1 | | no data |
|    💼 9.3.2.3 Ensure Default Network Access Rule for Storage Accounts is Set to Deny (Automated) | | | 1 | | no data |
|   💼 9.3.3 Identity and Access Management | 1 | | 1 | | no data |
|    💼 9.3.3.1 Ensure that 'Default to Microsoft Entra authorization in the Azure portal' is Set to 'Enabled' (Automated) | | | 1 | | no data |
|   💼 9.3.4 Ensure that 'Secure transfer required' is Set to 'Enabled' (Automated) | | | 1 | | no data |
|   💼 9.3.5 Ensure 'Allow trusted Microsoft services to access this resource' is Enabled for Storage Account Access (Automated) | | | 1 | | no data |
|   💼 9.3.6 Ensure the 'Minimum TLS version' for Storage Accounts is Set to 'Version 1.2' (Automated) | | | 1 | | no data |
|   💼 9.3.7 Ensure 'Cross Tenant Replication' is Not Enabled (Automated) | | | 1 | | no data |
|   💼 9.3.8 Ensure that 'Allow Blob Anonymous Access' is Set to 'Disabled' (Automated) | | | 1 | | no data |
|   💼 9.3.9 Ensure Azure Resource Manager Delete Locks are Applied to Azure Storage Accounts (Manual) | | | 1 | | no data |
|   💼 9.3.10 Ensure Azure Resource Manager ReadOnly Locks are Considered for Azure Storage Accounts (Manual) | | | 1 | | no data |
|   💼 9.3.11 Ensure Redundancy is Set to 'geo-redundant storage (GRS)' on Critical Azure Storage Accounts (Automated) | | | 1 | | no data |