diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index a6b32b0b9ea98..a54af6a6b37ae 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6765,6 +6765,11 @@ "redirect_url": "/azure/scheduler/migrate-from-scheduler-to-logic-apps", "redirect_document_id": false }, + { + "source_path_from_root": "/articles/search/search-get-started-retrieval-augmented-generation.md", + "redirect_url": "/azure/ai-services/openai/use-your-data-quickstart", + "redirect_document_id": false + }, { "source_path_from_root": "/articles/search/cognitive-search-tutorial-blob-python.md", "redirect_url": "/azure/search/samples-python", diff --git a/articles/advisor/advisor-resiliency-reviews.md b/articles/advisor/advisor-resiliency-reviews.md index 0e69dcba73174..acca3e884d21b 100644 --- a/articles/advisor/advisor-resiliency-reviews.md +++ b/articles/advisor/advisor-resiliency-reviews.md @@ -85,8 +85,8 @@ Select **Manage** > **Reviews (Preview)** in the left navigation pane. A list of At the top of the reviews page, use **Feedback** to tell us about your experience. Use the **Refresh** button to refresh the page as needed. -[!NOTE] -If you have no reviews, the **Reviews** menu item in the left navigation is greyed out. +> [!NOTE] +> If you have no reviews, the **Reviews** menu item in the left navigation is greyed out. ### Review recommendations @@ -133,8 +133,8 @@ From a review recommendations details page: 1. You can reject multiple recommendations at a time using the checkbox control, and the same reason for rejection is applied to all selected recommendations. If you need to select a different reason, reject one recommendation at a time. 1. If you reject a recommendation by mistake, select **Reset** to move it back to the pending state and tab. -[!NOTE] -The reason for the rejection is visible to your account team. It helps them understand workload context and your business priorities better. Additionally, Microsoft uses this information to improve the quality of recommendations. +> [!NOTE] +> The reason for the rejection is visible to your account team. It helps them understand workload context and your business priorities better. Additionally, Microsoft uses this information to improve the quality of recommendations. ## Implement recommendations @@ -155,8 +155,8 @@ The recommendations are grouped by type: * **Reviews**: These recommendations are part of a review for a selected workload. * **Automated**: These recommendations are the standard Advisor recommendations for the selected subscriptions. -[!NOTE] -If none of your resiliency review recommendations are in the *Accepted* state, the **Reviews** tab is hidden. +> [!NOTE] +> If none of your resiliency review recommendations are in the *Accepted* state, the **Reviews** tab is hidden. :::image type="content" source="./media/resiliency-reviews/resiliency-review-recommendation-list-accepted.png" alt-text="Screenshot of the Azure Advisor Resiliency Reviews recommendations page of accepted recommendations." lightbox="./media/resiliency-reviews/resiliency-review-recommendation-list-accepted.png"::: diff --git a/articles/ai-services/computer-vision/concept-detecting-faces.md b/articles/ai-services/computer-vision/concept-detecting-faces.md index f0f17c9ba7ea3..a6a2621db5817 100644 --- a/articles/ai-services/computer-vision/concept-detecting-faces.md +++ b/articles/ai-services/computer-vision/concept-detecting-faces.md @@ -17,14 +17,10 @@ ms.author: pafarley Image Analysis 3.2 can detect human faces within an image and generate rectangle coordinates for each detected face. > [!NOTE] -> This feature is also offered by the dedicated [Face](./overview-identity.md) service. Use this alternative for more detailed face analysis, including face identification and head pose detection. +> This feature is also offered by the dedicated [Azure AI Face](./overview-identity.md) service. Use that alternative for more detailed face analysis, including face identification and head pose detection. [!INCLUDE [Sensitive attributes notice](./includes/identity-sensitive-attributes.md)] -Try out the face detection features quickly and easily in your browser using Vision Studio. - -> [!div class="nextstepaction"] -> [Try Vision Studio](https://portal.vision.cognitive.azure.com/) ## Face detection examples @@ -55,7 +51,7 @@ The following example demonstrates the JSON response returned by Analyze API for } ``` -The next example demonstrates the JSON response returned for an image containing multiple human faces. +The next example demonstrates the JSON response returned for an image containing multiple faces. ![Vision Analyze Family Photo Face](./Images/family_photo_face.png) diff --git a/articles/ai-services/computer-vision/faq.yml b/articles/ai-services/computer-vision/faq.yml index d3d399e934976..233970cf78f27 100644 --- a/articles/ai-services/computer-vision/faq.yml +++ b/articles/ai-services/computer-vision/faq.yml @@ -24,7 +24,7 @@ sections: - question: | How can I increase the transactions-per-second (TPS) allowed by the service? answer: | - The free (S0) tier only allows 20 transactions per minute. Upgrade to the S1 tier to get up to 30 transactions per second. If you're seeing the error code 429 and the "Too many requests" error message, [submit an Azure support ticket](https://azure.microsoft.com/support/create-ticket/) to raise your TPS to 50 or higher with a brief business justification. [Azure AI Vision pricing](https://azure.microsoft.com/pricing/details/cognitive-services/computer-vision/#pricing). + The free (S0) tier only allows 20 transactions per minute. Upgrade to the S1 tier to get up to 20 transactions per second. If you're seeing the error code 429 and the "Too many requests" error message, [submit an Azure support ticket](https://azure.microsoft.com/support/create-ticket/) to raise your TPS to 50 or higher with a brief business justification. [Azure AI Vision pricing](https://azure.microsoft.com/pricing/details/cognitive-services/computer-vision/#pricing). - question: | The service is throwing an error because my image file is too large. How can I work around this? diff --git a/articles/ai-services/computer-vision/language-support.md b/articles/ai-services/computer-vision/language-support.md index a3247b36c1862..24a9d9d4d70b2 100644 --- a/articles/ai-services/computer-vision/language-support.md +++ b/articles/ai-services/computer-vision/language-support.md @@ -7,7 +7,7 @@ author: PatrickFarley manager: nitinme ms.service: azure-ai-vision ms.topic: conceptual -ms.date: 02/27/2024 +ms.date: 03/11/2024 ms.author: pafarley --- @@ -17,15 +17,13 @@ Some capabilities of Azure AI Vision support multiple languages; any capabilitie ## Optical Character Recognition (OCR) -The Azure AI Vision [Read API](./overview-ocr.md) supports many languages. The `Read` API can extract text from images and documents with mixed languages, including from the same text line, without requiring a language parameter. +The Azure AI Vision [Read API](./overview-ocr.md) supports many languages. The `Read` API can extract text from images and documents with mixed languages, including from the same text line, without requiring a language parameter. See [How to specify the `Read` model](./how-to/call-read-api.md#determine-how-to-process-the-data-optional) to use the new languages. > [!NOTE] > **Language code optional** > > `Read` OCR's deep-learning-based universal models extract all multi-lingual text in your documents, including text lines with mixed languages, and do not require specifying a language code. Do not provide the language code as the parameter unless you are sure about the language and want to force the service to apply only the relevant model. Otherwise, the service may return incomplete and incorrect text. -See [How to specify the `Read` model](./how-to/call-read-api.md#determine-how-to-process-the-data-optional) to use the new languages. - ### Handwritten text The following table lists the OCR supported languages for handwritten text by the most recent `Read` GA model. @@ -129,62 +127,62 @@ The following table lists the OCR supported languages for print text by the most ## Analyze image -Some features of the [Analyze - Image](https://westcentralus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-1-ga/operations/56f91f2e778daf14a499f21b) API can return results in other languages, specified with the `language` query parameter. Other actions return results in English regardless of what language is specified, and others throw an exception for unsupported languages. Actions are specified with the `visualFeatures` and `details` query parameters; see the [Overview](overview-image-analysis.md) for a list of all the actions you can do with image analysis. Languages for tagging are only available in API version 3.2 or later. +Some features of the [Analyze - Image](https://westcentralus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-1-ga/operations/56f91f2e778daf14a499f21b) API can return results in other languages, specified with the `language` query parameter. Other actions return results in English regardless of what language is specified, and others throw an exception for unsupported languages. Actions are specified with the `visualFeatures` and `details` query parameters; see the [Overview](overview-image-analysis.md) for a list of all the actions you can do with the Analyze API, or follow the [How-to guide](/azure/ai-services/computer-vision/how-to/call-analyze-image-40) to try them out. -|Language | Language code | Categories | Tags | Description | Adult | Brands | Color | Faces | ImageType | Objects | Celebrities | Landmarks | Captions/Dense captions| -|:---|:---:|:----:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:--:| -|Arabic |`ar`| | ✅| |||||| |||| -|Azerbaijani |`az`| | ✅| |||||| |||| -|Bulgarian |`bg`| | ✅| |||||| |||| -|Bosnian Latin |`bs`| | ✅| |||||| |||| -|Catalan |`ca`| | ✅| |||||| |||| -|Czech |`cs`| | ✅| |||||| |||| -|Welsh |`cy`| | ✅| |||||| |||| -|Danish |`da`| | ✅| |||||| |||| -|German |`de`| | ✅| |||||| |||| -|Greek |`el`| | ✅| |||||| |||| -|English |`en`|✅ | ✅| ✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| -|Spanish |`es`|✅ | ✅| ✅|||||| |✅|✅|| -|Estonian |`et`| | ✅| |||||| |||| -|Basque |`eu`| | ✅| |||||| |||| -|Finnish |`fi`| | ✅| |||||| |||| -|French |`fr`| | ✅| |||||| |||| -|Irish |`ga`| | ✅| |||||| |||| -|Galician |`gl`| | ✅| |||||| |||| -|Hebrew |`he`| | ✅| |||||| |||| -|Hindi |`hi`| | ✅| |||||| |||| -|Croatian |`hr`| | ✅| |||||| |||| -|Hungarian |`hu`| | ✅| |||||| |||| -|Indonesian |`id`| | ✅| |||||| |||| -|Italian |`it`| | ✅| |||||| |||| -|Japanese |`ja`|✅ | ✅| ✅|||||| |✅|✅|| -|Kazakh |`kk`| | ✅| |||||| |||| -|Korean |`ko`| | ✅| |||||| |||| -|Lithuanian |`lt`| | ✅| |||||| |||| -|Latvian |`lv`| | ✅| |||||| |||| -|Macedonian |`mk`| | ✅| |||||| |||| -|Malay Malaysia |`ms`| | ✅| |||||| |||| -|Norwegian (Bokmal) |`nb`| | ✅| |||||| |||| -|Dutch |`nl`| | ✅| |||||| |||| -|Polish |`pl`| | ✅| |||||| |||| -|Dari |`prs`| | ✅| |||||| |||| -| Portuguese-Brazil|`pt-BR`| | ✅| |||||| |||| -| Portuguese-Portugal |`pt`|✅ | ✅| ✅|||||| |✅|✅|| -| Portuguese-Portugal |`pt-PT`| | ✅| |||||| |||| -|Romanian |`ro`| | ✅| |||||| |||| -|Russian |`ru`| | ✅| |||||| |||| -|Slovak |`sk`| | ✅| |||||| |||| -|Slovenian |`sl`| | ✅| |||||| |||| -|Serbian - Cyrillic RS |`sr-Cryl`| | ✅| |||||| |||| -|Serbian - Latin RS |`sr-Latn`| | ✅| |||||| |||| -|Swedish |`sv`| | ✅| |||||| |||| -|Thai |`th`| | ✅| |||||| |||| -|Turkish |`tr`| | ✅| |||||| |||| -|Ukrainian |`uk`| | ✅| |||||| |||| -|Vietnamese |`vi`| | ✅| |||||| |||| -|Chinese Simplified |`zh`|✅ | ✅| ✅|||||| |✅|✅|| -|Chinese Simplified |`zh-Hans`| | ✅| |||||| |||| -|Chinese Traditional |`zh-Hant`| | ✅| |||||| |||| +| Language | Language code | Categories | Tags | Description | Adult, Brands, Color, Faces, ImageType, Objects | Celebrities, Landmarks | Captions, Dense captions| +|:---|:---:|:----:|:---:|:---:|:---:|:---:|:--:| +|Arabic |`ar`| | ✅| |||| +|Azerbaijani |`az`| | ✅| |||| +|Bulgarian |`bg`| | ✅| |||| +|Bosnian Latin |`bs`| | ✅| |||| +|Catalan |`ca`| | ✅| |||| +|Czech |`cs`| | ✅| |||| +|Welsh |`cy`| | ✅| |||| +|Danish |`da`| | ✅| |||| +|German |`de`| | ✅| |||| +|Greek |`el`| | ✅| |||| +|English |`en`|✅ | ✅| ✅|✅|✅|✅| +|Spanish |`es`|✅ | ✅| ✅||✅|| +|Estonian |`et`| | ✅| |||| +|Basque |`eu`| | ✅| |||| +|Finnish |`fi`| | ✅| |||| +|French |`fr`| | ✅| |||| +|Irish |`ga`| | ✅| |||| +|Galician |`gl`| | ✅| |||| +|Hebrew |`he`| | ✅| |||| +|Hindi |`hi`| | ✅| |||| +|Croatian |`hr`| | ✅| |||| +|Hungarian |`hu`| | ✅| |||| +|Indonesian |`id`| | ✅| |||| +|Italian |`it`| | ✅| |||| +|Japanese |`ja`|✅ | ✅| ✅||✅|| +|Kazakh |`kk`| | ✅| |||| +|Korean |`ko`| | ✅| |||| +|Lithuanian |`lt`| | ✅| |||| +|Latvian |`lv`| | ✅| |||| +|Macedonian |`mk`| | ✅| |||| +|Malay Malaysia |`ms`| | ✅| |||| +|Norwegian (Bokmal) |`nb`| | ✅| |||| +|Dutch |`nl`| | ✅| ||| +|Polish |`pl`| | ✅| ||| +|Dari |`prs`| | ✅| ||| +| Portuguese-Brazil|`pt-BR`| | ✅| |||| +| Portuguese-Portugal |`pt`|✅ | ✅| ✅||✅|| +| Portuguese-Portugal |`pt-PT`| | ✅| |||| +|Romanian |`ro`| | ✅| |||| +|Russian |`ru`| | ✅| |||| +|Slovak |`sk`| | ✅| |||| +|Slovenian |`sl`| | ✅| |||| +|Serbian - Cyrillic RS |`sr-Cryl`| | ✅| |||| +|Serbian - Latin RS |`sr-Latn`| | ✅| |||| +|Swedish |`sv`| | ✅| |||| +|Thai |`th`| | ✅| |||| +|Turkish |`tr`| | ✅| |||| +|Ukrainian |`uk`| | ✅| |||| +|Vietnamese |`vi`| | ✅| |||| +|Chinese Simplified |`zh`|✅ | ✅| ✅| |✅|| +|Chinese Simplified |`zh-Hans`| | ✅| |||| +|Chinese Traditional |`zh-Hant`| | ✅| |||| ## Multimodal embeddings diff --git a/articles/ai-services/computer-vision/reference-video-search.md b/articles/ai-services/computer-vision/reference-video-search.md index d4a4cd1b35a9f..355efa0e2aa23 100644 --- a/articles/ai-services/computer-vision/reference-video-search.md +++ b/articles/ai-services/computer-vision/reference-video-search.md @@ -8,7 +8,7 @@ manager: nitinme ms.service: azure-ai-vision ms.topic: reference -ms.date: 11/15/2023 +ms.date: 03/11/2024 ms.author: pafarley --- @@ -17,23 +17,18 @@ ms.author: pafarley ## Authentication -Include the following header when making a call to any API in this document. +Include the following headers when making a call to any API in this document. -``` -Ocp-Apim-Subscription-Key: YOUR_COMPUTER_VISION_KEY -``` +Ocp-Apim-Subscription-Key: `YOUR_COMPUTER_VISION_KEY` Version: `2023-05-01-preview` ## CreateIndex ### URL -PUT /retrieval/indexes/{indexName}?api-version= -### Summary - -Creates an index for the documents to be ingested. +`PUT /retrieval/indexes/{indexName}?api-version=` ### Description @@ -42,7 +37,7 @@ An index needs to be created before ingestion can be performed. ### Parameters -| Name | Located in | Description | Required | Schema | +| Name | Located in | Description | Required | Type | | ---- | ---------- | ----------- | -------- | ---- | | indexName | path | The name of the index to be created. | Yes | string | | api-version | query | Requested API version. | Yes | string | @@ -50,18 +45,14 @@ An index needs to be created before ingestion can be performed. #### Responses -| Code | Description | Schema | +| Code | Description | Type | | ---- | ----------- | ------ | | 201 | Created | [GetIngestionIndexResponseModel](#getingestionindexresponsemodel) | ## GetIndex ### URL -GET /retrieval/indexes/{indexName}?api-version= - -### Summary - -Retrieves the index. +`GET /retrieval/indexes/{indexName}?api-version=` ### Description @@ -69,14 +60,14 @@ Retrieves the index with the specified name. ### Parameters -| Name | Located in | Description | Required | Schema | +| Name | Located in | Description | Required | Type | | ---- | ---------- | ----------- | -------- | ---- | | indexName | path | The name of the index to retrieve. | Yes | string | | api-version | query | Requested API version. | Yes | string | ### Responses -| Code | Description | Schema | +| Code | Description | Type | | ---- | ----------- | ------ | | 200 | Success | [GetIngestionIndexResponseModel](#getingestionindexresponsemodel) | | default | Error | [ErrorResponse](#errorresponse) | @@ -84,11 +75,8 @@ Retrieves the index with the specified name. ## UpdateIndex ### URL -PATCH /retrieval/indexes/{indexName}?api-version= - -### Summary +`PATCH /retrieval/indexes/{indexName}?api-version=` -Updates an index. ### Description @@ -96,7 +84,7 @@ Updates an index with the specified name. ### Parameters -| Name | Located in | Description | Required | Schema | +| Name | Located in | Description | Required | Type | | ---- | ---------- | ----------- | -------- | ---- | | indexName | path | The name of the index to be updated. | Yes | string | | api-version | query | Requested API version. | Yes | string | @@ -104,7 +92,7 @@ Updates an index with the specified name. ### Responses -| Code | Description | Schema | +| Code | Description | Type | | ---- | ----------- | ------ | | 200 | Success | [GetIngestionIndexResponseModel](#getingestionindexresponsemodel) | | default | Error | [ErrorResponse](#errorresponse) | @@ -112,11 +100,7 @@ Updates an index with the specified name. ## DeleteIndex ### URL -DELETE /retrieval/indexes/{indexName}?api-version= - -### Summary - -Deletes an index. +`DELETE /retrieval/indexes/{indexName}?api-version=` ### Description @@ -124,7 +108,7 @@ Deletes an index and all its associated ingestion documents. ### Parameters -| Name | Located in | Description | Required | Schema | +| Name | Located in | Description | Required | Type | | ---- | ---------- | ----------- | -------- | ---- | | indexName | path | The name of the index to be deleted. | Yes | string | | api-version | query | Requested API version. | Yes | string | @@ -138,11 +122,8 @@ Deletes an index and all its associated ingestion documents. ## ListIndexes ### URL -GET /retrieval/indexes?api-version= - -### Summary +`GET /retrieval/indexes?api-version=` -Retrieves all indexes. ### Description @@ -150,7 +131,7 @@ Retrieves a list of all indexes across all ingestions. ### Parameters -| Name | Located in | Description | Required | Schema | +| Name | Located in | Description | Required | Type | | ---- | ---------- | ----------- | -------- | ------ | | $skip | query | Number of datasets to be skipped. | No | integer | | $top | query | Number of datasets to be returned after skipping. | No | integer | @@ -158,7 +139,7 @@ Retrieves a list of all indexes across all ingestions. ### Responses -| Code | Description | Schema | +| Code | Description | Type | | ---- | ----------- | ------ | | 200 | Success | [GetIngestionIndexResponseModelCollectionApiModel](#getingestionindexresponsemodelcollectionapimodel) | | default | Error | [ErrorResponse](#errorresponse) | @@ -166,11 +147,8 @@ Retrieves a list of all indexes across all ingestions. ## CreateIngestion ### URL -PUT /retrieval/indexes/{indexName}/ingestions/{ingestionName}?api-version= +`PUT /retrieval/indexes/{indexName}/ingestions/{ingestionName}?api-version=` -### Summary - -Creates an ingestion for a specific index and ingestion name. ### Description @@ -181,7 +159,7 @@ Update mode will update the metadata only. In order to reprocess the video, the ### Parameters -| Name | Located in | Description | Required | Schema | +| Name | Located in | Description | Required | Type | | ---- | ---------- | ----------- | -------- | ---- | | indexName | path | The name of the index to which the ingestion is to be created. | Yes | string | | ingestionName | path | The name of the ingestion to be created. | Yes | string | @@ -190,7 +168,7 @@ Update mode will update the metadata only. In order to reprocess the video, the ### Responses -| Code | Description | Schema | +| Code | Description | Type | | ---- | ----------- | ------ | | 202 | Accepted | [IngestionResponseModel](#ingestionresponsemodel) | @@ -198,11 +176,8 @@ Update mode will update the metadata only. In order to reprocess the video, the ### URL -GET /retrieval/indexes/{indexName}/ingestions/{ingestionName}?api-version= - -### Summary +`GET /retrieval/indexes/{indexName}/ingestions/{ingestionName}?api-version=` -Gets the ingestion status. ### Description @@ -210,7 +185,7 @@ Gets the ingestion status for the specified index and ingestion name. ### Parameters -| Name | Located in | Description | Required | Schema | +| Name | Located in | Description | Required | Type | | ---- | ---------- | ----------- | -------- | ---- | | indexName | path | The name of the index for which the ingestion status to be checked. | Yes | string | | ingestionName | path | The name of the ingestion to be retrieved. | Yes | string | @@ -219,7 +194,7 @@ Gets the ingestion status for the specified index and ingestion name. ### Responses -| Code | Description | Schema | +| Code | Description | Type | | ---- | ----------- | ------ | | 200 | Success | [IngestionResponseModel](#ingestionresponsemodel) | | default | Error | [ErrorResponse](#errorresponse) | @@ -228,11 +203,8 @@ Gets the ingestion status for the specified index and ingestion name. ### URL -GET /retrieval/indexes/{indexName}/ingestions?api-version= - -### Summary +`GET /retrieval/indexes/{indexName}/ingestions?api-version=` -Retrieves all ingestions. ### Description @@ -240,14 +212,14 @@ Retrieves all ingestions for the specific index. ### Parameters -| Name | Located in | Description | Required | Schema | +| Name | Located in | Description | Required | Type | | ---- | ---------- | ----------- | -------- | ---- | | indexName | path | The name of the index for which to retrieve the ingestions. | Yes | string | | api-version | query | Requested API version. | Yes | string | ### Responses -| Code | Description | Schema | +| Code | Description | Type | | ---- | ----------- | ------ | | 200 | Success | [IngestionResponseModelCollectionApiModel](#ingestionresponsemodelcollectionapimodel) | | default | Error | [ErrorResponse](#errorresponse) | @@ -256,11 +228,8 @@ Retrieves all ingestions for the specific index. ### URL -GET /retrieval/indexes/{indexName}/documents?api-version= +`GET /retrieval/indexes/{indexName}/documents?api-version=` -### Summary - -Retrieves all documents. ### Description @@ -268,7 +237,7 @@ Retrieves all documents for the specific index. ### Parameters -| Name | Located in | Description | Required | Schema | +| Name | Located in | Description | Required | Type | | ---- | ---------- | ----------- | -------- | ---- | | indexName | path | The name of the index for which to retrieve the documents. | Yes | string | | $skip | query | Number of datasets to be skipped. | No | integer | @@ -277,7 +246,7 @@ Retrieves all documents for the specific index. ### Responses -| Code | Description | Schema | +| Code | Description | Type | | ---- | ----------- | ------ | | 200 | Success | [IngestionDocumentResponseModelCollectionApiModel](#ingestiondocumentresponsemodelcollectionapimodel) | | default | Error | [ErrorResponse](#errorresponse) | @@ -286,11 +255,7 @@ Retrieves all documents for the specific index. ### URL -POST /retrieval/indexes/{indexName}:queryByText?api-version= - -### Summary - -Performs a text-based search. +`POST /retrieval/indexes/{indexName}:queryByText?api-version=` ### Description @@ -298,7 +263,7 @@ Performs a text-based search on the specified index. ### Parameters -| Name | Located in | Description | Required | Schema | +| Name | Located in | Description | Required | Type | | ---- | ---------- | ----------- | -------- | ---- | | indexName | path | The name of the index to search. | Yes | string | | api-version | query | Requested API version. | Yes | string | @@ -306,7 +271,7 @@ Performs a text-based search on the specified index. ### Responses -| Code | Description | Schema | +| Code | Description | Type | | ---- | ----------- | ------ | | 200 | Success | [SearchResultDocumentModelCollectionApiModel](#searchresultdocumentmodelcollectionapimodel) | | default | Error | [ErrorResponse](#errorresponse) | diff --git a/articles/ai-services/computer-vision/whats-new.md b/articles/ai-services/computer-vision/whats-new.md index 4dfa32548965b..d3da34590cafe 100644 --- a/articles/ai-services/computer-vision/whats-new.md +++ b/articles/ai-services/computer-vision/whats-new.md @@ -10,19 +10,19 @@ ms.custom: - build-2023 - ignite-2023 ms.topic: whats-new -ms.date: 01/19/2024 +ms.date: 03/11/2024 ms.author: pafarley --- # What's new in Azure AI Vision -Learn what's new in the service. These items might be release notes, videos, blog posts, and other types of information. Bookmark this page to stay up to date with new features, enhancements, fixes, and documentation updates. +Learn what's new in Azure AI Vision. Check this page to stay up to date with new features, enhancements, fixes, and documentation updates. ## February 2024 #### Multimodal embeddings GA: new multi-language model -The Multimodal embeddings API has been updated and is now generally available. The new `2024-02-01` API includes a new model that supports text search in 102 languages. The original English-only model is still available, but it cannot be combined with the new model in the same search index. If you vectorized text and images using the English-only model, these vectors aren't compatible with multi-lingual text and image vectors. +The Multimodal embeddings API has been updated and is now generally available. The new `2024-02-01` API includes a new model that supports text search in 102 languages. The original English-only model is still available, but it can't be combined with the new model in the same search index. If you vectorized text and images using the English-only model, these vectors aren't compatible with multi-lingual text and image vectors. See the [language support](/azure/ai-services/computer-vision/language-support#multimodal-embeddings) page for the list of supported languages. @@ -37,7 +37,7 @@ Major changes: - The SDK now calls the generally available [Computer Vision REST API (2023-10-01)](https://eastus.dev.cognitive.microsoft.com/docs/services/Cognitive_Services_Unified_Vision_API_2023-10-01), instead of the preview [Computer Vision REST API (2023-04-01-preview)](https://eastus.dev.cognitive.microsoft.com/docs/services/unified-vision-apis-public-preview-2023-04-01-preview/operations/61d65934cd35050c20f73ab6). - Support for JavaScript was added. - C++ is no longer supported. -- Image Analysis with a custom model, and Image Segmentation (background removal) are no longer supported in the SDK, because the [Computer Vision REST API (2023-10-01)](https://eastus.dev.cognitive.microsoft.com/docs/services/Cognitive_Services_Unified_Vision_API_2023-10-01) does not yet support them. To use either feature, call the [Computer Vision REST API (2023-04-01-preview)](https://eastus.dev.cognitive.microsoft.com/docs/services/unified-vision-apis-public-preview-2023-04-01-preview/operations/61d65934cd35050c20f73ab6) directly (using the `Analyze` and `Segment` operations respectively). +- Image Analysis with a custom model, and Image Segmentation (background removal) are no longer supported in the SDK, because the [Computer Vision REST API (2023-10-01)](https://eastus.dev.cognitive.microsoft.com/docs/services/Cognitive_Services_Unified_Vision_API_2023-10-01) doesn't yet support them. To use either feature, call the [Computer Vision REST API (2023-04-01-preview)](https://eastus.dev.cognitive.microsoft.com/docs/services/unified-vision-apis-public-preview-2023-04-01-preview/operations/61d65934cd35050c20f73ab6) directly (using the `Analyze` and `Segment` operations respectively). ## November 2023 @@ -124,7 +124,7 @@ Image Analysis 4.0 has been released in public preview. The new API includes ima The preview versions of the Azure AI Vision 3.0 and 3.1 Read API are scheduled to be retired on January 31, 2023. Customers are encouraged to refer to the [How-To](./how-to/call-read-api.md) and [QuickStarts](./quickstarts-sdk/client-library.md?tabs=visual-studio&pivots=programming-language-csharp) to get started with the generally available (GA) version of the Read API instead. The latest GA versions provide the following benefits: * 2022 latest generally available OCR model * Significant expansion of OCR language coverage including support for handwritten text -* Significantly improved OCR quality +* Improved OCR quality ## June 2022 @@ -136,13 +136,13 @@ Vision Studio provides you with a platform to try several service features, and ### Responsible AI for Face -#### Face transparency documentation -* The [transparency documentation](https://aka.ms/faceraidocs) provides guidance to assist our customers to improve the accuracy and fairness of their systems by incorporating meaningful human review to detect and resolve cases of misidentification or other failures, providing support to people who believe their results were incorrect, and identifying and addressing fluctuations in accuracy due to variations in operational conditions. +#### Face transparency note +* The [transparency note](https://aka.ms/faceraidocs) provides guidance to assist our customers to improve the accuracy and fairness of their systems by incorporating meaningful human review to detect and resolve cases of misidentification or other failures, providing support to people who believe their results were incorrect, and identifying and addressing fluctuations in accuracy due to variations in operational conditions. #### Retirement of sensitive attributes -* We have retired facial analysis capabilities that purport to infer emotional states and identity attributes, such as gender, age, smile, facial hair, hair and makeup. -* Facial detection capabilities, (including detecting blur, exposure, glasses, headpose, landmarks, noise, occlusion, facial bounding box) will remain generally available and do not require an application. +* We have retired facial analysis capabilities that purport to infer emotional states and identity attributes, such as gender, age, smile, facial hair, hair, and makeup. +* Facial detection capabilities, (including detecting blur, exposure, glasses, headpose, landmarks, noise, occlusion, facial bounding box) will remain generally available and don't require an application. #### Fairlearn package and Microsoft's Fairness Dashboard @@ -155,7 +155,7 @@ Vision Studio provides you with a platform to try several service features, and ### Azure AI Vision 3.2-preview deprecation The preview versions of the 3.2 API are scheduled to be retired in December of 2022. Customers are encouraged to use the generally available (GA) version of the API instead. Mind the following changes when migrating from the 3.2-preview versions: -1. The [Analyze Image](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/56f91f2e778daf14a499f21b) and [Read](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/5d986960601faab4bf452005) API calls now take an optional _model-version_ parameter that you can use to specify which AI model to use. By default, they will use the latest model. +1. The [Analyze Image](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/56f91f2e778daf14a499f21b) and [Read](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/5d986960601faab4bf452005) API calls now take an optional _model-version_ parameter that you can use to specify which AI model to use. By default, they use the latest model. 1. The [Analyze Image](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/56f91f2e778daf14a499f21b) and [Read](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/5d986960601faab4bf452005) API calls also return a `model-version` field in successful API responses. This field reports which model was used. 1. Image Analysis APIs now use a different error-reporting format. See the [API reference documentation](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/56f91f2e778daf14a499f21b) to learn how to adjust any error-handling code. @@ -184,7 +184,7 @@ See the [OCR how-to guide](how-to/call-read-api.md#determine-how-to-process-the- Azure AI Vision's [OCR (Read) API](overview-ocr.md) expands [supported languages](language-support.md) to 164 with its latest preview: -* OCR support for print text expands to 42 new languages including Arabic, Hindi and other languages using Arabic and Devanagari scripts. +* OCR support for print text expands to 42 new languages including Arabic, Hindi, and other languages using Arabic and Devanagari scripts. * OCR support for handwritten text expands to Japanese and Korean in addition to English, Chinese Simplified, French, German, Italian, Portuguese, and Spanish. * Enhancements including better support for extracting handwritten dates, amounts, names, and single character boxes. * General performance and AI quality improvements @@ -195,7 +195,7 @@ See the [OCR how-to guide](how-to/call-read-api.md#determine-how-to-process-the- > [Get Started with the Read API](./quickstarts-sdk/client-library.md) ### New Quality Attribute in Detection_01 and Detection_03 -* To help system builders and their customers capture high quality images which are necessary for high quality outputs from Face API, we’re introducing a new quality attribute **QualityForRecognition** to help decide whether an image is of sufficient quality to attempt face recognition. The value is an informal rating of low, medium, or high. The new attribute is only available when using any combinations of detection models `detection_01` or `detection_03`, and recognition models `recognition_03` or `recognition_04`. Only "high" quality images are recommended for person enrollment and quality above "medium" is recommended for identification scenarios. To learn more about the new quality attribute, see [Face detection and attributes](concept-face-detection.md) and see how to use it with [QuickStart](./quickstarts-sdk/identity-client-library.md?pivots=programming-language-csharp&tabs=visual-studio). +* To help system builders and their customers capture high quality images, which are necessary for high quality outputs from Face API, we’re introducing a new quality attribute **QualityForRecognition** to help decide whether an image is of sufficient quality to attempt face recognition. The value is an informal rating of low, medium, or high. The new attribute is only available when using any combinations of detection models `detection_01` or `detection_03`, and recognition models `recognition_03` or `recognition_04`. Only "high" quality images are recommended for person enrollment and quality above "medium" is recommended for identification scenarios. To learn more about the new quality attribute, see [Face detection and attributes](concept-face-detection.md) and see how to use it with [QuickStart](./quickstarts-sdk/identity-client-library.md?pivots=programming-language-csharp&tabs=visual-studio). ## September 2021 @@ -224,7 +224,7 @@ The [latest version (v3.2)](https://westus.dev.cognitive.microsoft.com/docs/serv ### New HeadPose and Landmarks improvements for Detection_03 * The Detection_03 model has been updated to support facial landmarks. -* The landmarks feature in Detection_03 is much more precise, especially in the eyeball landmarks which are crucial for gaze tracking. +* The landmarks feature in Detection_03 is much more precise, especially in the eyeball landmarks, which are crucial for gaze tracking. ## May 2021 @@ -254,8 +254,8 @@ The Azure AI Vision API v3.2 is now generally available with the following updat ### PersonDirectory data structure (preview) -* In order to perform face recognition operations such as Identify and Find Similar, Face API customers need to create an assorted list of **Person** objects. The new **PersonDirectory** is a data structure that contains unique IDs, optional name strings, and optional user metadata strings for each **Person** identity added to the directory. Currently, the Face API offers the **LargePersonGroup** structure which has similar functionality but is limited to 1 million identities. The **PersonDirectory** structure can scale up to 75 million identities. -* Another major difference between **PersonDirectory** and previous data structures is that you'll no longer need to make any Train calls after adding faces to a **Person** object—the update process happens automatically. For more details see [Use the PersonDirectory structure](how-to/use-persondirectory.md). +* In order to perform face recognition operations such as Identify and Find Similar, Face API customers need to create an assorted list of **Person** objects. The new **PersonDirectory** is a data structure that contains unique IDs, optional name strings, and optional user metadata strings for each **Person** identity added to the directory. Currently, the Face API offers the **LargePersonGroup** structure, which has similar functionality but is limited to 1 million identities. The **PersonDirectory** structure can scale up to 75 million identities. +* Another major difference between **PersonDirectory** and previous data structures is that you'll no longer need to make any Train calls after adding faces to a **Person** object—the update process happens automatically. For more details, see [Use the PersonDirectory structure](how-to/use-persondirectory.md). ## March 2021 @@ -285,11 +285,11 @@ See the [Read API how-to guide](how-to/call-read-api.md) to learn more. ### New Face API detection model -* The new Detection 03 model is the most accurate detection model currently available. If you're a new customer, we recommend using this model. Detection 03 improves both recall and precision on smaller faces found within images (64x64 pixels). Additional improvements include an overall reduction in false positives and improved detection on rotated face orientations. Combining Detection 03 with the new Recognition 04 model will provide improved recognition accuracy as well. See [Specify a face detection model](./how-to/specify-detection-model.md) for more details. +* The new Detection 03 model is the most accurate detection model currently available. If you're a new customer, we recommend using this model. Detection 03 improves both recall and precision on smaller faces found within images (64x64 pixels). Other improvements include an overall reduction in false positives and improved detection on rotated face orientations. Combining Detection 03 with the new Recognition 04 model provides improved recognition accuracy as well. See [Specify a face detection model](./how-to/specify-detection-model.md) for more details. ### New detectable Face attributes -* The `faceMask` attribute is available with the latest Detection 03 model, along with the additional attribute `"noseAndMouthCovered"` which detects whether the face mask is worn as intended, covering both the nose and mouth. To use the latest mask detection capability, users need to specify the detection model in the API request: assign the model version with the _detectionModel_ parameter to `detection_03`. See [Specify a face detection model](./how-to/specify-detection-model.md) for more details. +* The `faceMask` attribute is available with the latest Detection 03 model, along with the added attribute `"noseAndMouthCovered"`, which detects whether the face mask is worn as intended, covering both the nose and mouth. To use the latest mask detection capability, users need to specify the detection model in the API request: assign the model version with the _detectionModel_ parameter to `detection_03`. See [Specify a face detection model](./how-to/specify-detection-model.md) for more details. ### New Face API Recognition Model -* The new Recognition 04 model is the most accurate recognition model currently available. If you're a new customer, we recommend using this model for verification and identification. It improves upon the accuracy of Recognition 03, including improved recognition for users wearing face covers (surgical masks, N95 masks, cloth masks). Note that we recommend against enrolling images of users wearing face covers as this will lower recognition quality. Now customers can build safe and seamless user experiences that detect whether a user is wearing a face cover with the latest Detection 03 model, and recognize them with the latest Recognition 04 model. See [Specify a face recognition model](./how-to/specify-recognition-model.md) for more details. +* The new Recognition 04 model is the most accurate recognition model currently available. If you're a new customer, we recommend using this model for verification and identification. It improves upon the accuracy of Recognition 03, including improved recognition for users wearing face covers (surgical masks, N95 masks, cloth masks). We recommend against enrolling images of users wearing face covers as this will lower recognition quality. Now customers can build safe and seamless user experiences that detect whether a user is wearing a face cover with the latest Detection 03 model, and recognize them with the latest Recognition 04 model. See [Specify a face recognition model](./how-to/specify-recognition-model.md) for more details. ## January 2021 @@ -375,7 +375,7 @@ See the [OCR overview](overview-ocr.md) to learn more. ## April 2020 ### New Face API Recognition Model -* The new recognition 03 model is the most accurate model currently available. If you're a new customer, we recommend using this model. Recognition 03 will provide improved accuracy for both similarity comparisons and person-matching comparisons. More details can be found at [Specify a face recognition model](./how-to/specify-recognition-model.md). +* The new recognition 03 model is the most accurate model currently available. If you're a new customer, we recommend using this model. Recognition 03 provides improved accuracy for both similarity comparisons and person-matching comparisons. More details can be found at [Specify a face recognition model](./how-to/specify-recognition-model.md). ## March 2020 diff --git a/articles/ai-services/custom-vision-service/overview.md b/articles/ai-services/custom-vision-service/overview.md index 31915250a07df..2ae12e9b4fedd 100644 --- a/articles/ai-services/custom-vision-service/overview.md +++ b/articles/ai-services/custom-vision-service/overview.md @@ -8,7 +8,7 @@ manager: nitinme ms.service: azure-ai-custom-vision ms.topic: overview -ms.date: 07/04/2023 +ms.date: 03/11/2024 ms.author: pafarley keywords: image recognition, image identifier, image recognition app, custom vision #Customer intent: As a data scientist/developer, I want to understand what the Custom Vision service does so that I can determine if it's suitable for my project. @@ -16,7 +16,7 @@ keywords: image recognition, image identifier, image recognition app, custom vis # What is Custom Vision? -Azure AI Custom Vision is an image recognition service that lets you build, deploy, and improve your own image identifier models. An image identifier applies labels to images, according to their visual characteristics. Each label represents a classification or object. Unlike the [Azure AI Vision](../computer-vision/overview.md) service, Custom Vision allows you to specify your own labels and train custom models to detect them. +Azure AI Custom Vision is an image recognition service that lets you build, deploy, and improve your own **image identifier** models. An image identifier applies labels to images, according to their visual characteristics. Each label represents a classification or object. Custom Vision allows you to specify your own labels and train custom models to detect them. > [!TIP] > The Azure AI vision Image Analysis API, based on Florence foundational model, now supports custom models with few-shot learning capability. [Use Image Analysis 4.0](../computer-vision/how-to/model-customization.md) to create custom image identifier models using the latest technology from Azure. To migrate a Custom Vision project to the new Image Analysis 4.0 system, see the [Migration guide](../computer-vision/how-to/migrate-from-custom-vision.md). To compare the two services, see the [Comparison page](./concepts/compare-alternatives.md). @@ -27,7 +27,7 @@ You can use Custom Vision through a client library SDK, REST API, or through the > [!div class="nextstepaction"] > [Quickstart (web portal)](getting-started-build-a-classifier.md) -:::image type="content" source="media/overview/image-example.png" alt-text="Screenshot of an image on the Custom Vision website with predicted tags." ::: +:::image type="content" source="media/overview/image-example.png" alt-text="Screenshot of an image on the Custom Vision website with predicted tags." lightbox="media/overview/image-example.png" ::: This documentation contains the following types of articles: * The [quickstarts](./getting-started-build-a-classifier.md) are step-by-step instructions that let you make calls to the service and get results in a short period of time. @@ -35,25 +35,25 @@ This documentation contains the following types of articles: * The [tutorials](./iot-visual-alerts-tutorial.md) are longer guides that show you how to use this service as a component in broader business solutions. -For a more structured approach, follow a Training module for Custom Vision: +For a more structured approach, follow a **Training module** for Custom Vision: * [Classify images with the Custom Vision service](/training/modules/classify-images-custom-vision/) * [Classify endangered bird species with Custom Vision](/training/modules/cv-classify-bird-species/) ## How it works -The Custom Vision service uses a machine learning algorithm to analyze images. You submit sets of images that have and don't have the visual characteristics you're looking for. Then you label the images with your own custom labels (tags) at the time of submission. The algorithm trains to this data and calculates its own accuracy by testing itself on the same images. Once you've trained your model, you can test, retrain, and eventually use it in your image recognition app to [classify images](getting-started-build-a-classifier.md) or [detect objects](get-started-build-detector.md). You can also [export the model](export-your-model.md) for offline use. +The Custom Vision service uses a machine learning algorithm to analyze images for custom features. You submit sets of images that do and don't have the visual characteristics you're looking for. Then you label the images with your own labels (tags) at the time of submission. The algorithm trains to this data and calculates its own accuracy by testing itself on the same images. Once you've trained your model, you can test, retrain, and eventually use it in your image recognition app to [classify images](getting-started-build-a-classifier.md) or [detect objects](get-started-build-detector.md). You can also [export the model](export-your-model.md) for offline use. ### Classification and object detection -Custom Vision functionality can be divided into two features. **[Image classification](getting-started-build-a-classifier.md)** applies one or more labels to an entire image. **[Object detection](get-started-build-detector.md)** is similar, but it returns the coordinates in the image where the applied label(s) can be found. +Custom Vision functionality can be divided into two features. **[Image classification](getting-started-build-a-classifier.md)** applies one or more labels to an entire image. **[Object detection](get-started-build-detector.md)** is similar, but it returns the coordinates in the image where the applied label(s) are found. -### Optimization +### Use case optimization The Custom Vision service is optimized to quickly recognize major differences between images, so you can start prototyping your model with a small amount of data. It's generally a good start to use 50 images per label. However, the service isn't optimal for detecting subtle differences in images (for example, detecting minor cracks or dents in quality assurance scenarios). Additionally, you can choose from several variations of the Custom Vision algorithm that are optimized for images with certain subject material—for example, landmarks or retail items. For more information, see [Select a domain](select-domain.md). -## How to use it +## How to use Custom Vision The Custom Vision Service is available as a set of native SDKs and through a web-based interface on the [Custom Vision portal](https://customvision.ai/). You can create, test, and train a model through either interface or use both together. @@ -74,9 +74,9 @@ As a part of Azure, Custom Vision Service has components that are maintained acr As with all of the Azure AI services, developers using the Custom Vision service should be aware of Microsoft's policies on customer data. See the [Azure AI services page](https://www.microsoft.com/trustcenter/cloudservices/cognitiveservices) on the Microsoft Trust Center to learn more. -## Data residency +### Data residency -Custom Vision primarily doesn't replicate data out of the specified region, except for one region, `NorthCentralUS`, where there is no local Azure Support. +Custom Vision doesn't replicate data outside of the specified region, except for one region, `NorthCentralUS`, where there is no local Azure Support. ## Next steps diff --git a/articles/ai-services/openai/concepts/models.md b/articles/ai-services/openai/concepts/models.md index 46cb897a36eb3..a9cf557e4e54c 100644 --- a/articles/ai-services/openai/concepts/models.md +++ b/articles/ai-services/openai/concepts/models.md @@ -85,6 +85,17 @@ You can also use the OpenAI text to speech voices via Azure AI Speech. To learn ## Model summary table and region availability +> [!NOTE] +> This article only covers model/region availability that applies to all Azure OpenAI customers with deployment types of **Standard**. Some select customers have access to model/region combinations that are not listed in the unified table below. These tables also do not apply to customers using only **Provisioned** deployment types which have their own unique model/region availability matrix. For more information on **Provisioned** deployments refer to our [Provisioned guidance](./provisioned-throughput.md). + +### Standard deployment model availability + +[!INCLUDE [Standard Models](../includes/model-matrix/standard-models.md)] + +### Standard deployment model quota + +[!INCLUDE [Quota](../includes/model-matrix/quota.md)] + ### GPT-4 and GPT-4 Turbo Preview models GPT-4, GPT-4-32k, and GPT-4 Turbo with Vision are now available to all Azure OpenAI Service customers. Availability varies by region. If you don't see GPT-4 in your region, please check back later. @@ -128,13 +139,16 @@ GPT-4 version 0125-preview is an updated version of the GPT-4 Turbo preview prev #### Public cloud regions -| Model | Regions where model is available to all subscriptions with Azure OpenAI access | Regions where model is available only to subscriptions with previous access to that model/region | -|---|:---|:---| -| gpt-4 (0314) | | East US
France Central
South Central US
UK South | -| gpt-4 (0613) | Australia East
Canada East
France Central
Sweden Central
Switzerland North | East US
East US 2
Japan East
UK South | -| gpt-4 (1106-Preview) | Australia East
Canada East
East US 2
France Central
Norway East
South India
Sweden Central
UK South
West US | | -| gpt-4 (0125-Preview) | East US
North Central US
South Central US
| -| gpt-4 (vision-preview) | Sweden Central
West US
Japan East
Switzerland North
Australia East| | +[!INCLUDE [GPT-4](../includes/model-matrix/standard-gpt-4.md)] + +#### Select customer access + +In addition to the regions above which are available to all Azure OpenAI customers, some select pre-existing customers have been granted access to versions of GPT-4 in additional regions: + +| Model | Region | +|---|:---| +| `gpt-4` (0314) | East US
France Central
South Central US
UK South | +| `gpt-4` (0613) | East US
East US 2
Japan East
UK South | #### Azure Government regions @@ -144,7 +158,6 @@ The following GPT-4 models are available with [Azure Government](/azure/azure-go |--|--| | `gpt-4` (1106-Preview) | US Gov Virginia
US Gov Arizona | - ### GPT-3.5 models > [!IMPORTANT] @@ -159,19 +172,20 @@ See [model versions](../concepts/model-versions.md) to learn about how Azure Ope > [!NOTE] > Version `0613` of `gpt-35-turbo` and `gpt-35-turbo-16k` will be retired no earlier than June 13, 2024. Version `0301` of `gpt-35-turbo` will be retired no earlier than July 5, 2024. See [model updates](../how-to/working-with-models.md#model-updates) for model upgrade behavior. -### GPT-3.5-Turbo model availability +| Model ID | Max Request (tokens) | Training Data (up to) | +| --------- |:------:|:----:| +| `gpt-35-turbo`**1** (0301) | 4,096 | Sep 2021 | +| `gpt-35-turbo` (0613) | 4,096 | Sep 2021 | +| `gpt-35-turbo-16k` (0613) | 16,384 | Sep 2021 | +| `gpt-35-turbo-instruct` (0914) | 4,097 |Sep 2021 | +| `gpt-35-turbo` (1106) | Input: 16,385
Output: 4,096 | Sep 2021| +| `gpt-35-turbo` (0125) **NEW** | 16,385 | Sep 2021 | +### GPT-3.5-Turbo model availability #### Public cloud regions -| Model ID | Model Availability | Max Request (tokens) | Training Data (up to) | -| --------- | -------------------- |:------:|:----:| -| `gpt-35-turbo`**1** (0301) | East US
France Central
South Central US
UK South
West Europe | 4,096 | Sep 2021 | -| `gpt-35-turbo` (0613) | Australia East
Canada East
East US
East US 2
France Central
Japan East
North Central US
Sweden Central
Switzerland North
UK South | 4,096 | Sep 2021 | -| `gpt-35-turbo-16k` (0613) | Australia East
Canada East
East US
East US 2
France Central
Japan East
North Central US
Sweden Central
Switzerland North
UK South | 16,384 | Sep 2021 | -| `gpt-35-turbo-instruct` (0914) | East US
Sweden Central | 4,097 |Sep 2021 | -| `gpt-35-turbo` (1106) | Australia East
Canada East
France Central
South India
Sweden Central
UK South
West US | Input: 16,385
Output: 4,096 | Sep 2021| -|`gpt-35-turbo` (0125) **NEW** | Canada East
North Central US
South Central US | 16,385 | Sep 2021 | +[!INCLUDE [GPT-35-Turbo](../includes/model-matrix/standard-gpt-35-turbo.md)] **1** This model will accept requests > 4,096 tokens. It is not recommended to exceed the 4,096 input token limit as the newer version of the model are capped at 4,096 tokens. If you encounter issues when exceeding 4,096 input tokens with this model this configuration is not officially supported. @@ -182,16 +196,20 @@ These models can only be used with Embedding API requests. > [!NOTE] > `text-embedding-3-large` is the latest and most capable embedding model. Upgrading between embedding models is not possible. In order to migrate from using `text-embedding-ada-002` to `text-embedding-3-large` you would need to generate new embeddings. -| Model ID | Model Availability | Max Request (tokens) | Output Dimensions |Training Data (up-to) +| Model ID | Max Request (tokens) | Output Dimensions |Training Data (up-to) |---|---| :---:|:---:|:---:| -| `text-embedding-ada-002` (version 2) | Australia East
Canada East
East US
East US2
France Central
Japan East
North Central US
Norway East
South Central US
Sweden Central
Switzerland North
UK South
West Europe
West US |8,191 | 1,536 | Sep 2021 | -| `text-embedding-ada-002` (version 1) | East US
South Central US
West Europe |2,046 | 1,536 | Sep 2021 | -| `text-embedding-3-large` | Canada East, East US, East US 2 | 8,191 | 3,072 |Sep 2021 | -| `text-embedding-3-small` | Canada East, East US, East US 2 | 8,191| 1,536 | Sep 2021 | +| `text-embedding-ada-002` (version 2) |8,191 | 1,536 | Sep 2021 | +| `text-embedding-ada-002` (version 1) |2,046 | 1,536 | Sep 2021 | +| `text-embedding-3-large` | 8,191 | 3,072 |Sep 2021 | +| `text-embedding-3-small` | 8,191| 1,536 | Sep 2021 | > [!NOTE] > When sending an array of inputs for embedding, the max number of input items in the array per call to the embedding endpoint is 2048. +#### Public cloud regions + +[!INCLUDE [Embeddings](../includes/model-matrix/standard-embeddings.md)] + #### Azure Government regions The following Embeddings models are available with [Azure Government](/azure/azure-government/documentation-government-welcome): @@ -221,7 +239,6 @@ The following Embeddings models are available with [Azure Government](/azure/azu | `gpt-35-turbo` (1106) | North Central US
Sweden Central | Input: 16,385
Output: 4,096 | Sep 2021| | `gpt-35-turbo` (0125) | North Central US
Sweden Central | 16,385 | Sep 2021 | - ### Whisper models | Model ID | Model Availability | Max Request (audio file size) | @@ -245,12 +262,7 @@ For Assistants you need a combination of a supported model, and a supported regi | East US 2 | ✅ | | ✅ |✅ | | | Sweden Central | ✅ |✅ |✅ |✅| | -Provisioned Throughput Unit (PTU) availability - -| Region | `gpt-35-turbo (1106)` | `gpt-4 (1106)` | `gpt-4 (0125)` | -|-----|---|---|---| -| East US 2 | | ✅ | ✅ | -| Sweden Central | ✅ |✅ |✅ | +For information on Provisioned Throughput Unit (PTU) availability, see [provisioned throughput](./provisioned-throughput.md). ## Next steps diff --git a/articles/ai-services/openai/includes/model-matrix/quota.md b/articles/ai-services/openai/includes/model-matrix/quota.md new file mode 100644 index 0000000000000..a94869593f5a9 --- /dev/null +++ b/articles/ai-services/openai/includes/model-matrix/quota.md @@ -0,0 +1,31 @@ +--- +title: 'Quota regional limits' +titleSuffix: Azure OpenAI Service +description: Quota and limits for Azure OpenAI by region. +manager: nitinme +ms.service: azure-ai-openai +ms.topic: include +ms.date: 03/13/2024 +--- + +The default quota for models varies by model and region. Default quota limits are subject to change. + +| Region | GPT-4 | GPT-4-32K | GPT-4-Turbo | GPT-4-Turbo-V | GPT-35-Turbo | GPT-35-Turbo-Instruct | Text-Embedding-Ada-002 | text-embedding-3-small | text-embedding-3-large | Babbage-002 | Babbage-002 - finetune | Davinci-002 | Davinci-002 - finetune | GPT-35-Turbo - finetune | GPT-35-Turbo-1106 - finetune | GPT-35-Turbo-0125 - finetune | +|:-----------------|:-------:|:-----------:|:-------------:|:---------------:|:--------------:|:-----------------------:|:------------------------:|:------------------------:|:------------------------:|:-------------:|:------------------------:|:-------------:|:------------------------:|:-------------------------:|:------------------------------:|:-------------------------------| +| australiaeast | 40 K | 80 K | 80 K | 30 K | 300 K | - | 350 K | - | - | - | - | - | - | - | - | - | +| brazilsouth | - | - | - | - | - | - | 350 K | - | - | - | - | - | - | - | - | - | +| canadaeast | 40 K | 80 K | 80 K | - | 300 K | - | 350 K | 350 K | 350 K | - | - | - | - | - | - | - | +| eastus | - | - | 80 K | - | 240 K | 240 K | 240 K | 350 K | 350 K | - | - | - | - | - | - | - | +| eastus2 | 40 K | 80 K | 80 K | - | 300 K | - | 350 K | 350 K | 350 K | - | - | - | - | - | - | - | +| francecentral | 20 K | 60 K | 80 K | - | 240 K | - | 240 K | - | - | - | - | - | - | - | - | - | +| japaneast | 40 K | 80 K | - | 30 K | 313 K | - | 350 K | - | - | - | - | - | - | - | - | - | +| northcentralus | - | - | 80 K | - | 300 K | - | 350 K | - | - | 240 K | 250 K | 240 K | 250 K | 250 K | 250 K | 250 K | +| norwayeast | - | - | 150 K | - | - | - | 350 K | - | - | - | - | - | - | - | - | - | +| southafricanorth | - | - | - | - | - | - | 350 K | - | - | - | - | - | - | - | - | - | +| southcentralus | - | - | 80 K | - | 240 K | - | 240 K | - | - | - | - | - | - | - | - | - | +| southindia | - | - | 150 K | - | 300 K | - | 350 K | - | - | - | - | - | - | - | - | - | +| swedencentral | 40 K | 80 K | 150 K | 30 K | 305 K | 240 K | 350 K | - | - | 240 K | 250 K | 240 K | 250 K | 250 K | 250 K | 250 K | +| switzerlandnorth | 40 K | 80 K | - | 30 K | 300 K | - | 350 K | - | - | - | - | - | - | - | - | - | +| uksouth | 40 K | 80 K | 80 K | - | 240 K | - | 350 K | - | - | - | - | - | - | - | - | - | +| westeurope | - | - | - | - | 240 K | - | 240 K | - | - | - | - | - | - | - | - | - | +| westus | - | - | 80 K | 30 K | 300 K | - | 350 K | - | - | - | - | - | - | \ No newline at end of file diff --git a/articles/ai-services/openai/includes/model-matrix/standard-embeddings.md b/articles/ai-services/openai/includes/model-matrix/standard-embeddings.md new file mode 100644 index 0000000000000..daed628f7543e --- /dev/null +++ b/articles/ai-services/openai/includes/model-matrix/standard-embeddings.md @@ -0,0 +1,29 @@ +--- +title: Standard Embeddings models +titleSuffix: Azure OpenAI Service +description: embedding model regional availability +manager: nitinme +ms.service: azure-ai-openai +ms.topic: include +ms.date: 03/13/2024 +--- + +| `Region` | `text-embedding-ada-002`, `2` | `text-embedding-ada-002`, `1` | `text-embedding-3-small`, `1` | `text-embedding-3-large`, `1` | +|:-----------------|:---------------------------------:|:---------------------------------:|:---------------------------------:|:---------------------------------:| +| australiaeast | ✅ | - | - | - | +| brazilsouth | ✅ | - | - | - | +| canadaeast | ✅ | - | ✅ | ✅ | +| eastus | ✅ | ✅ | ✅ | ✅ | +| eastus2 | ✅ | - | ✅ | ✅ | +| francecentral | ✅ | - | - | - | +| japaneast | ✅ | - | - | - | +| northcentralus | ✅ | - | - | - | +| norwayeast | ✅ | - | - | - | +| southafricanorth | ✅ | - | - | - | +| southcentralus | ✅ | ✅ | - | - | +| southindia | ✅ | - | - | - | +| swedencentral | ✅ | - | - | - | +| switzerlandnorth | ✅ | - | - | - | +| uksouth | ✅ | - | - | - | +| westeurope | ✅ | - | - | - | +| westus | ✅ | - | - | - | \ No newline at end of file diff --git a/articles/ai-services/openai/includes/model-matrix/standard-gpt-35-turbo.md b/articles/ai-services/openai/includes/model-matrix/standard-gpt-35-turbo.md new file mode 100644 index 0000000000000..3809a75695ab2 --- /dev/null +++ b/articles/ai-services/openai/includes/model-matrix/standard-gpt-35-turbo.md @@ -0,0 +1,26 @@ +--- +title: Standard GPT-35-Turbo models +titleSuffix: Azure OpenAI Service +description: Standard GPT-35-Turbo model availability +manager: nitinme +ms.service: azure-ai-openai +ms.topic: include +ms.date: 03/13/2024 +--- + +| `Region` | `gpt-35-turbo`, `0301` | `gpt-35-turbo`, `0613` | `gpt-35-turbo`, `1106` | `gpt-35-turbo`, `0125` | `gpt-35-turbo-16k`, `0613` | `gpt-35-turbo-instruct`, `0914` | +|:-----------------|:--------------------------:|:--------------------------:|:--------------------------:|:--------------------------:|:------------------------------:|:-----------------------------------:| +| australiaeast | - | ✅ | ✅ | - | ✅ | - | +| canadaeast | - | ✅ | ✅ | ✅ | ✅ | - | +| eastus | ✅ | ✅ | - | - | ✅ | ✅ | +| eastus2 | - | ✅ | - | - | ✅ | - | +| francecentral | ✅ | ✅ | ✅ | - | ✅ | - | +| japaneast | - | ✅ | - | - | ✅ | - | +| northcentralus | - | ✅ | - | ✅ | ✅ | - | +| southcentralus | ✅ | - | - | ✅ | - | - | +| southindia | - | - | ✅ | - | - | - | +| swedencentral | - | ✅ | ✅ | - | ✅ | ✅ | +| switzerlandnorth | - | ✅ | - | - | ✅ | - | +| uksouth | ✅ | ✅ | ✅ | - | ✅ | - | +| westeurope | ✅ | - | - | - | - | - | +| westus | - | - | ✅ | - | - | - | \ No newline at end of file diff --git a/articles/ai-services/openai/includes/model-matrix/standard-gpt-4.md b/articles/ai-services/openai/includes/model-matrix/standard-gpt-4.md new file mode 100644 index 0000000000000..8499938ab6a49 --- /dev/null +++ b/articles/ai-services/openai/includes/model-matrix/standard-gpt-4.md @@ -0,0 +1,26 @@ +--- +title: Standard GPT-4 models +titleSuffix: Azure OpenAI Service +description: Standard GPT-4 model availability +manager: nitinme +ms.service: azure-ai-openai +ms.topic: include +ms.date: 03/13/2024 +--- + +| `Region` | `gpt-4`, `0613` | `gpt-4`, `1106-Preview` | `gpt-4`, `0125-Preview` | `gpt-4`, `vision-preview` | `gpt-4-32k`, `0613` | +|:-----------------|:-------------------:|:---------------------------:|:---------------------------:|:-----------------------------:|:-----------------------:| +| australiaeast | ✅ | ✅ | - | ✅ | ✅ | +| canadaeast | ✅ | ✅ | - | - | ✅ | +| eastus | - | - | ✅ | - | - | +| eastus2 | ✅ | ✅ | - | - | ✅ | +| francecentral | ✅ | ✅ | - | - | ✅ | +| japaneast | ✅ | - | - | ✅ | ✅ | +| northcentralus | - | - | ✅ | - | - | +| norwayeast | - | ✅ | - | - | - | +| southcentralus | - | - | ✅ | - | - | +| southindia | - | ✅ | - | - | - | +| swedencentral | ✅ | ✅ | - | ✅ | ✅ | +| switzerlandnorth | ✅ | - | - | ✅ | ✅ | +| uksouth | ✅ | ✅ | - | - | ✅ | +| westus | - | ✅ | - | ✅ | - | \ No newline at end of file diff --git a/articles/ai-services/openai/includes/model-matrix/standard-models.md b/articles/ai-services/openai/includes/model-matrix/standard-models.md new file mode 100644 index 0000000000000..6f18ae5d5607d --- /dev/null +++ b/articles/ai-services/openai/includes/model-matrix/standard-models.md @@ -0,0 +1,30 @@ +--- +title: Standard model availability +titleSuffix: Azure OpenAI Service +description: Quota and limits for Azure OpenAI by region. +manager: nitinme +ms.service: azure-ai-openai +ms.topic: include +ms.date: 03/13/2024 +--- + + +| `Region` | `gpt-4`, `0613` | `gpt-4`, `1106-Preview` | `gpt-4`, `0125-Preview` | `gpt-4`, `vision-preview` | `gpt-4-32k`, `0613` | `gpt-35-turbo`, `0301` | `gpt-35-turbo`, `0613` | `gpt-35-turbo`, `1106` | `gpt-35-turbo`, `0125` | `gpt-35-turbo-16k`, `0613` | `gpt-35-turbo-instruct`, `0914` | `text-embedding-ada-002`, `2` | `text-embedding-ada-002`, `1` | `text-embedding-3-small`, `1` | `text-embedding-3-large`, `1` | `babbage-002`, `1` | `dall-e-3`, `3.0` | `davinci-002`, `1` | `tts`, `001` | `tts-hd`, `001` | `whisper`, `001` | +|:-----------------|:-------------------:|:---------------------------:|:---------------------------:|:-----------------------------:|:-----------------------:|:--------------------------:|:--------------------------:|:--------------------------:|:--------------------------:|:------------------------------:|:-----------------------------------:|:---------------------------------:|:---------------------------------:|:---------------------------------:|:---------------------------------:|:----------------------:|:---------------------:|:----------------------:|:----------------:|:-------------------:|:--------------------:| +| australiaeast | ✅ | ✅ | - | ✅ | ✅ | - | ✅ | ✅ | - | ✅ | - | ✅ | - | - | - | - | ✅ | - | - | - | - | +| brazilsouth | - | - | - | - | - | - | - | - | - | - | - | ✅ | - | - | - | - | - | - | - | - | - | +| canadaeast | ✅ | ✅ | - | - | ✅ | - | ✅ | ✅ | ✅ | ✅ | - | ✅ | - | ✅ | ✅ | - | - | - | - | - | - | +| eastus | - | - | ✅ | - | - | ✅ | ✅ | - | - | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | - | ✅ | - | - | - | - | +| eastus2 | ✅ | ✅ | - | - | ✅ | - | ✅ | - | - | ✅ | - | ✅ | - | ✅ | ✅ | - | - | - | - | - | ✅ | +| francecentral | ✅ | ✅ | - | - | ✅ | ✅ | ✅ | ✅ | - | ✅ | - | ✅ | - | - | - | - | - | - | - | - | - | +| japaneast | ✅ | - | - | ✅ | ✅ | - | ✅ | - | - | ✅ | - | ✅ | - | - | - | - | - | - | - | - | - | +| northcentralus | - | - | ✅ | - | - | - | ✅ | - | ✅ | ✅ | - | ✅ | - | - | - | ✅ | - | ✅ | ✅ | ✅ | ✅ | +| norwayeast | - | ✅ | - | - | - | - | - | - | - | - | - | ✅ | - | - | - | - | - | - | - | - | ✅ | +| southafricanorth | - | - | - | - | - | - | - | - | - | - | - | ✅ | - | - | - | - | - | - | - | - | - | +| southcentralus | - | - | ✅ | - | - | ✅ | - | - | ✅ | - | - | ✅ | ✅ | - | - | - | - | - | - | - | - | +| southindia | - | ✅ | - | - | - | - | - | ✅ | - | - | - | ✅ | - | - | - | - | - | - | - | - | ✅ | +| swedencentral | ✅ | ✅ | - | ✅ | ✅ | - | ✅ | ✅ | - | ✅ | ✅ | ✅ | - | - | - | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | +| switzerlandnorth | ✅ | - | - | ✅ | ✅ | - | ✅ | - | - | ✅ | - | ✅ | - | - | - | - | - | - | - | - | - | +| uksouth | ✅ | ✅ | - | - | ✅ | ✅ | ✅ | ✅ | - | ✅ | - | ✅ | - | - | - | - | - | - | - | - | - | +| westeurope | - | - | - | - | - | ✅ | - | - | - | - | - | ✅ | - | - | - | - | - | - | - | - | ✅ | +| westus | - | ✅ | - | ✅ | - | - | - | ✅ | - | - | - | ✅ | - | - | - | - | - | - | - | - | - | \ No newline at end of file diff --git a/articles/ai-services/openai/quotas-limits.md b/articles/ai-services/openai/quotas-limits.md index 42b4cc3d70ac4..f4ac978a78741 100644 --- a/articles/ai-services/openai/quotas-limits.md +++ b/articles/ai-services/openai/quotas-limits.md @@ -48,28 +48,7 @@ The following sections provide you with a quick guide to the default quotas and ## Regional quota limits -The default quota for models varies by model and region. Default quota limits are subject to change. - - -| Region | Text-Embedding-Ada-002 | text-embedding-3-small | text-embedding-3-large | GPT-35-Turbo | GPT-35-Turbo-1106 | GPT-35-Turbo-16K | GPT-35-Turbo-Instruct | GPT-4 | GPT-4-32K | GPT-4-Turbo | GPT-4-Turbo-V | Babbage-002 | Babbage-002 - finetune | Davinci-002 | Davinci-002 - finetune | GPT-35-Turbo - finetune | GPT-35-Turbo-1106 - finetune | GPT-35-Turbo-0125 - finetune | -|:-----------------|:-------------------------|:-------------------------|:-------------------------|:---------------|:--------------------|:-------------------|:------------------------|:--------|:------------|:--------------|:----------------|:--------------|:-------------------------|:--------------|:-------------------------|:--------------------------|:-------------------------------|:-------------------------------| -| australiaeast | 350 K | - | - | 300 K | 120 K | 300 K | - | 40 K | 80 K | 80 K | 30 K | - | - | - | - | - | - | - | -| brazilsouth | 350 K | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - | -| canadaeast | 350 K | 350 K | 350 K | 300 K | 120 K | 300 K | - | 40 K | 80 K | 80 K | - | - | - | - | - | - | - | - | -| eastus | 240 K | 350 K | 350 K | 240 K | - | 240 K | 240 K | - | - | 80 K | - | - | - | - | - | - | - | - | -| eastus2 | 350 K | 350 K | 350 K | 300 K | - | 300 K | - | 40 K | 80 K | 80 K | - | - | - | - | - | - | - | - | -| francecentral | 240 K | - | - | 240 K | 120 K | 240 K | - | 20 K | 60 K | 80 K | - | - | - | - | - | - | - | - | -| japaneast | 350 K | - | - | 300 K | - | 300 K | - | 40 K | 80 K | - | 30 K | - | - | - | - | - | - | - | -| northcentralus | 350 K | - | - | 300 K | - | 300 K | - | - | - | 80 K | - | 240 K | 250 K | 240 K | 250 K | 250 K | 250 K | 250 K | -| norwayeast | 350 K | - | - | - | - | - | - | - | - | 150 K | - | - | - | - | - | - | - | - | -| southafricanorth | 350 K | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - | -| southcentralus | 240 K | - | - | 240 K | - | - | - | - | - | 80 K | - | - | - | - | - | - | - | - | -| southindia | 350 K | - | - | - | 120 K | - | - | - | - | 150 K | - | - | - | - | - | - | - | - | -| swedencentral | 350 K | - | - | 300 K | 120 K | 300 K | 240 K | 40 K | 80 K | 150 K | 30 K | 240 K | 250 K | 240 K | 250 K | 250 K | 250 K | 250 K | -| switzerlandnorth | 350 K | - | - | 300 K | - | 300 K | - | 40 K | 80 K | - | 30 K | - | - | - | - | - | - | - | -| uksouth | 350 K | - | - | 240 K | 120 K | 240 K | - | 40 K | 80 K | 80 K | - | - | - | - | - | - | - | - | -| westeurope | 240 K | - | - | 240 K | - | - | - | - | - | - | - | - | - | - | - | - | - | - | -| westus | 350 K | - | - | - | 120 K | - | - | - | - | 80 K | 30 K | - | - | - | - | - | - | - | +[!INCLUDE [Quota](includes/model-matrix/quota.md)] ### General best practices to remain within rate limits diff --git a/articles/ai-services/speech-service/professional-voice-create-project.md b/articles/ai-services/speech-service/professional-voice-create-project.md index c96c8e753a7a7..9330b807cf341 100644 --- a/articles/ai-services/speech-service/professional-voice-create-project.md +++ b/articles/ai-services/speech-service/professional-voice-create-project.md @@ -11,7 +11,7 @@ ms.author: eur zone_pivot_groups: speech-studio-rest --- -# Create a project for professional voice (preview) +# Create a project for professional voice ::: zone pivot="speech-studio" [!INCLUDE [Speech Studio include](./includes/how-to/professional-voice/create-project/speech-studio.md)] diff --git a/articles/aks/cost-analysis.md b/articles/aks/cost-analysis.md index 8c713590e9c86..74929408c0731 100644 --- a/articles/aks/cost-analysis.md +++ b/articles/aks/cost-analysis.md @@ -1,37 +1,33 @@ --- -title: Azure Kubernetes Service cost analysis (preview) +title: Azure Kubernetes Service cost analysis description: Learn how to use cost analysis to surface granular cost allocation data for your Azure Kubernetes Service (AKS) cluster. author: nickomang ms.author: nickoman ms.service: azure-kubernetes-service ms.custom: ignite-2023, devx-track-azurecli ms.topic: how-to -ms.date: 11/06/2023 +ms.date: 03/15/2024 #CustomerIntent: As a cluster operator, I want to obtain cost management information, perform cost attribution, and improve my cluster footprint --- -# Azure Kubernetes Service cost analysis (preview) +# Azure Kubernetes Service cost analysis -An Azure Kubernetes Service (AKS) cluster is reliant on Azure resources like virtual machines, virtual disks, load-balancers and public IP addresses. These resources can be used by multiple applications, which could be maintained by several different teams within your organization. Resource consumption patterns of those applications are often nonuniform, and thus their contribution towards the total cluster resource cost is often nonuniform. Some applications can also have footprints across multiple clusters. This can pose a challenge when performing cost attribution and cost management. +An Azure Kubernetes Service (AKS) cluster is reliant on Azure resources like virtual machines, virtual disks, load-balancers, and public IP addresses. Multiple applications can use these resources, which might be maintained by different teams within your organization. Resource consumption patterns for those applications are often variable, so their contribution towards the total cluster resource cost can also vary. Some applications can also have footprints across multiple clusters, which can pose a challenge when performing cost attribution and cost management. Previously, [Microsoft Cost Management (MCM)](../cost-management-billing/cost-management-billing-overview.md) aggregated cluster resource consumption under the cluster resource group. You could use MCM to analyze costs, but there were several challenges: -* Costs were reported per cluster. There was no breakdown into discrete categories such as compute (including CPU cores and memory), storage, and networking. +* There was no Azure-native capability to display cluster resource usage at a level more granular than a cluster. There was no breakdown into discrete categories such as compute (including CPU cores and memory), storage, and networking. -* There was no Azure-native functionality to distinguish between types of costs. For example, individual application versus shared costs. MCM reported the cost of resources, but there was no insight into how much of the resource cost was used to run individual applications, reserved for system processes required by the cluster, or idle cost associated with the cluster. - -* There was no Azure-native capability to display cluster resource usage at a level more granular than a cluster. +* There was no Azure-native functionality to distinguish between types of costs, for example between individual application costs and shared costs. MCM reported the cost of resources, but there was no insight into how much of the resource cost was used to run individual applications, how much was reserved for system processes required by the cluster, or what were the idle costs associated with the cluster. * There was no Azure-native mechanism to analyze costs across multiple clusters in the same subscription scope. -As a result, you might have used third-party solutions, like Kubecost or OpenCost, to gather and analyze resource consumption and costs by Kubernetes-specific levels of granularity, such as by namespace or pod. Third-party solutions, however, require effort to deploy, fine-tune, and maintain for each AKS cluster. In some cases, you even need to pay for advance features, increasing the cluster's total cost of ownership. - -To address this challenge, AKS has integrated with MCM to offer detailed cost drill down scoped to Kubernetes constructs, such as cluster and namespace, in addition to Azure Compute, Network, and Storage categories. +As a result, you might have used third-party solutions to gather and analyze resource consumption and costs by Kubernetes-specific levels of granularity, such as by namespace or pod. Third-party solutions, however, require effort to deploy, fine-tune, and maintain for each AKS cluster. In some cases, you even need to pay for advanced features, increasing the cluster's total cost of ownership. -The AKS cost analysis addon is built on top of [OpenCost](https://www.opencost.io/), an open-source Cloud Native Computing Foundation Sandbox project for usage data collection, which gets reconciled with your Azure invoice data. Post-processed data is visible directly in the [MCM Cost Analysis portal experience](/azure/cost-management-billing/costs/quick-acm-cost-analysis). +To address this challenge, AKS has integrated with MCM to offer detailed cost drill-down scoped to Kubernetes constructs, such as cluster and namespace, in addition to Azure Compute, Network, and Storage categories. -[!INCLUDE [preview features callout](./includes/preview/preview-callout.md)] +The AKS cost analysis addon is built on top of [OpenCost](https://www.opencost.io/), an open-source Cloud Native Computing Foundation Sandbox project for usage data collection. The cost analysis is reconciled with your Azure invoice data. Post-processed data is visible directly in the [MCM Cost Analysis portal experience](/azure/cost-management-billing/costs/quick-acm-cost-analysis). ## Prerequisites and limitations @@ -39,18 +35,18 @@ The AKS cost analysis addon is built on top of [OpenCost](https://www.opencost.i * To view cost analysis information, you must have one of the following roles on the subscription hosting the cluster: Owner, Contributor, Reader, Cost management contributor, or Cost management reader. -* Once cost analysis has been enabled, you can't downgrade your cluster to the `Free` tier without first disabling cost analysis. +* Once you have enabled cost analysis, you can't downgrade your cluster to the `Free` tier without first disabling cost analysis. * Your cluster must be deployed with a [Microsoft Entra Workload ID](./workload-identity-overview.md) configured. * If using the Azure CLI, you must have version `2.44.0` or later installed, and the `aks-preview` Azure CLI extension version `0.5.155` or later installed. -* The `ClusterCostAnalysis` feature flag must be registered on your subscription. - * Kubernetes cost views are available only for the following Microsoft Azure Offer types. For more information on offer types, see [Supported Microsoft Azure offers](/azure/cost-management-billing/costs/understand-cost-mgt-data#supported-microsoft-azure-offers). * Enterprise Agreement * Microsoft Customer Agreement +* Virtual nodes aren't supported at this time. + ### Install or update the `aks-preview` Azure CLI extension @@ -66,31 +62,11 @@ If you need to update the extension version, you can do this using the [`az exte az extension update --name aks-preview ``` -### Register the 'ClusterCostAnalysis' feature flag - -Register the `ClusterCostAnalysis` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example: - -```azurecli-interactive -az feature register --namespace "Microsoft.ContainerService" --name "ClusterCostAnalysis" -``` - -It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature show][az-feature-show] command: - -```azurecli-interactive -az feature show --namespace "Microsoft.ContainerService" --name "ClusterCostAnalysis" -``` - -When the status reflects *Registered*, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command: - -```azurecli-interactive -az provider register --namespace Microsoft.ContainerService -``` - ## Enable cost analysis on your AKS cluster Cost analysis can be enabled during one of the following operations: -* Create a `Standard` or `Premium` tier AKS cluster +* Create a `Standard` or `Premium` tier AKS cluster. * Update an AKS cluster that is already in `Standard` or `Premium` tier. @@ -100,12 +76,15 @@ Cost analysis can be enabled during one of the following operations: * Downgrade a `Premium` cluster to `Standard` tier. -To enable the feature, use the flag `--enable-cost-analysis` in combination with one of these operations. For example, the following command will create a new AKS cluster in the `Standard` tier with cost analysis enabled: +To enable the feature, use the flag `--enable-cost-analysis` in combination with one of these operations. For example, the following command creates a new AKS cluster in the `Standard` tier with cost analysis enabled: ```azurecli-interactive az aks create --resource-group --name --location --enable-managed-identity --generate-ssh-keys --tier standard --enable-cost-analysis ``` +> [!WARNING] +> The AKS cost analysis addon Memory usage is dependent on the number of containers deployed. Memory consumption can be roughly approximated by 200MB + 0.5MB per Container. The current memory limit is set to 4GB which will support approximately 7000 containers per cluster but could be more or less depending on various factors. These estimates are subject to change. + ## Disable cost analysis You can disable cost analysis at any time using `az aks update`. @@ -117,12 +96,21 @@ az aks update --name myAKSCluster --resource-group myResourceGroup --disable-cos > [!NOTE] > If you intend to downgrade your cluster from the `Standard` or `Premium` tiers to the `Free` tier while cost analysis is enabled, you must first explicitly disable cost analysis as shown here. -## View cost information +## View the cost data -You can view cost allocation data in the Azure portal. To learn more about how to navigate the cost analysis UI view, see the [Cost Management documentation](/azure/cost-management-billing/costs/view-kubernetes-costs). +You can view cost allocation data in the Azure portal. To learn more about how to navigate the cost analysis UI view, see the [Cost Management documentation](/azure/cost-management-billing/costs/view-kubernetes-costs). + +### Cost definitions + +In the Kubernetes namespaces and assets views you'll see the following charges: + +- **Idle charges**: Represents the cost of available resource capacity that wasn't used by any workloads. +- **Service charges**: Represents the charges associated with the service like Uptime SLA, Microsoft Defender for Containers etc. +- **System charges**: Represents the cost of capacity reserved by AKS on each node to run system processes required by the cluster, including the kubelet and container runtime. [Learn more](./concepts-clusters-workloads.md#resource-reservations). +- **Unallocated charges**: Represents the cost of resources that couldn't be allocated to namespaces. > [!NOTE] -> It might take up to one day for data to finalize +> It might take up to one day for data to finalize. After 24 hours, any fluctuations in costs for the previous day will have stabilized. ## Troubleshooting @@ -130,6 +118,8 @@ See the following guide to troubleshoot [AKS cost analysis add-on issues](/troub [az-extension-add]: /cli/azure/extension#az-extension-add -[az-feature-register]: /cli/azure/feature#az_feature_register -[az-feature-show]: /cli/azure/feature#az_feature_show [az-extension-update]: /cli/azure/extension#az-extension-update + +## Learn more + +Visibility is one element of cost management. Refer to [Optimize Costs in Azure Kubernetes Service (AKS)](./best-practices-cost.md) for other best practices on how to gain control over your kubernetes cost. \ No newline at end of file diff --git a/articles/aks/learn/quick-windows-container-deploy-cli.md b/articles/aks/learn/quick-windows-container-deploy-cli.md index f8e81ce63538e..6a0356ed2e241 100644 --- a/articles/aks/learn/quick-windows-container-deploy-cli.md +++ b/articles/aks/learn/quick-windows-container-deploy-cli.md @@ -128,7 +128,7 @@ To use Windows Server 2022, specify the following parameters: - `os-sku` set to `Windows2022` > [!NOTE] -> Windows Server 2022 requires Kubernetes version 1.23.0 or higher. +> Windows Server 2022 requires Kubernetes version 1.23.0 or higher. Windows Server 2022 is being retired after Kubernetes version 1.34 reaches its end of life (EOL). For more information about this retirement, see the [AKS release notes][aks-release-notes]. Add a Windows Server 2022 node pool using the `az aks nodepool add` command: diff --git a/articles/aks/learn/quick-windows-container-deploy-powershell.md b/articles/aks/learn/quick-windows-container-deploy-powershell.md index 7c362783919b0..180a606bbf3f4 100644 --- a/articles/aks/learn/quick-windows-container-deploy-powershell.md +++ b/articles/aks/learn/quick-windows-container-deploy-powershell.md @@ -117,6 +117,7 @@ To use Windows Server 2022, specify the following parameters: > > - Specifying the `OsSKU` parameter requires PowerShell Az module version 9.2.0 or higher. > - Windows Server 2022 requires Kubernetes version 1.23.0 or higher. +> - Windows Server 2022 is being retired after Kubernetes version 1.34 reaches its end of life (EOL). For more information about this retirement, see the [AKS release notes][aks-release-notes]. To add a Windows Server 2022 node pool, call the [New-AzAksNodePool][new-azaksnodepool] cmdlet: diff --git a/articles/aks/upgrade-windows-2019-2022.md b/articles/aks/upgrade-windows-2019-2022.md index 81400cd45cc4c..65eeb4fb04db8 100644 --- a/articles/aks/upgrade-windows-2019-2022.md +++ b/articles/aks/upgrade-windows-2019-2022.md @@ -1,17 +1,22 @@ --- -title: Upgrade Azure Kubernetes Service (AKS) workloads from Windows Server 2019 to 2022 +title: Upgrade the OS version for your Azure Kubernetes Service (AKS) Windows workloads description: Learn how to upgrade the OS version for Windows workloads on Azure Kubernetes Service (AKS). ms.topic: article ms.custom: linux-related-content ms.date: 09/12/2023 --- -# Upgrade Azure Kubernetes Service (AKS) workloads from Windows Server 2019 to 2022 +# Upgrade the OS version for your Azure Kubernetes Service (AKS) Windows workloads -When upgrading the OS version of a running Windows workload on Azure Kubernetes Service (AKS), you need to deploy a new node pool to ensure the Windows versions match on each node pool. This article describes the steps to upgrade the OS version for Windows workloads on AKS. +When upgrading the OS version of a running Windows workload on Azure Kubernetes Service (AKS), you need to deploy a new node pool to ensure the Windows versions match on each node pool. This article describes the steps to upgrade the OS version for Windows workloads on AKS. While this example focuses on the upgrade from Windows Server 2019 to Windows Server 2022, the same process can be followed to upgrade from any Windows Server version to another. + +## Windows Server OS version support + +When a new version of the Windows Server operating system is released, AKS is committed to supporting it and recommending you upgrade to the latest version to take advantage of the fixes, improvements, and new functionality. AKS provides a five-year support lifecycle for every Windows Server version, starting with Windows Server 2022. During this period, AKS will release a new version that supports a newer version of Windows Server OS for you to upgrade to. > [!NOTE] -> Windows Server 2019 is being retired after Kubernetes version 1.32 reaches end of life (EOL) and won't be supported in future releases. For more information about this retirement, see the [AKS release notes][aks-release-notes]. +>- Windows Server 2019 is being retired after Kubernetes version 1.32 reaches end of life (EOL). For more information, see [AKS release notes][aks-release-notes]. +>- Windows Server 2022 is being retired after Kubernetes version 1.34 reaches its end of life (EOL). For more information, see [AKS release notes][aks-release-notes]. ## Limitations diff --git a/articles/aks/windows-best-practices.md b/articles/aks/windows-best-practices.md index 2f1b428b6dd8e..bec53747005a1 100644 --- a/articles/aks/windows-best-practices.md +++ b/articles/aks/windows-best-practices.md @@ -30,11 +30,12 @@ You might want to containerize existing applications and run them using Windows > **Best practice guidance** > -> Windows Server 2022 provides the latest security and performance improvements and is the recommended OS for Windows node pools on AKS. +> Windows Server 2022 provides improved security and performance, and is the recommended OS for Windows node pools on AKS. AKS uses Windows Server 2019 and Windows Server 2022 as the host OS versions and only supports process isolation. AKS doesn't support container images built by other versions of Windows Server. For more information, see [Windows container version compatibility](/virtualization/windowscontainers/deploy-containers/version-compatibility). -Windows Server 2022 is the default OS for Kubernetes version 1.25 and later. Windows Server 2019 will retire after Kubernetes version 1.32 reaches end of service and won't be supported in future releases. For more information, see the [AKS release notes][aks-release-notes]. +Windows Server 2022 is the default OS for Kubernetes version 1.25 and later. Windows Server 2019 will retire after Kubernetes version 1.32 reaches end of life (EOL). Windows Server 2022 will retire after Kubernetes version 1.34 reaches its end of life (EOL). For more information, see [AKS release notes][aks-release-notes]. To stay up to date on the latest Windows Server OS versions and learn more about our roadmap of what's planned for support on AKS, see our [AKS public roadmap](https://github.com/azure/aks/projects/1). + ## Networking diff --git a/articles/app-service/overview-private-endpoint.md b/articles/app-service/overview-private-endpoint.md index 35504940518f7..65e9f49db51a5 100644 --- a/articles/app-service/overview-private-endpoint.md +++ b/articles/app-service/overview-private-endpoint.md @@ -123,8 +123,8 @@ For pricing details, see [Azure Private Link pricing](https://azure.microsoft.co * Remote Debugging functionality isn't available through the private endpoint. The recommendation is to deploy the code to a slot and remote debug it there. * FTP access is provided through the inbound public IP address. Private endpoint doesn't support FTP access to the app. * IP-Based SSL isn't supported with private endpoints. -* Apps that you configure with private endpoints cannot use [service endpoint-based access restriction rules](./overview-access-restrictions.md#access-restriction-rules-based-on-service-endpoints). -* Private endpoint naming must follow the rules defined for resources of type `Microsoft.Network/privateEndpoints`. Naming rules can be found [here](../azure-resource-manager/management/resource-name-rules.md#microsoftnetwork). +* Apps that you configure with private endpoints cannot receive public traffic coming from subnets with `Microsoft.Web` service endpoint enabled and cannot use [service endpoint-based access restriction rules](./overview-access-restrictions.md#access-restriction-rules-based-on-service-endpoints). +* Private endpoint naming must follow the rules defined for resources of type `Microsoft.Network/privateEndpoints`. Naming rules can be found [here](../azure-resource-manager/management/resource-name-rules.md#microsoftnetwork). We're improving Azure Private Link feature and private endpoint regularly, check [this article](../private-link/private-endpoint-overview.md#limitations) for up-to-date information about limitations. diff --git a/articles/application-gateway/ssl-certificate-management.md b/articles/application-gateway/ssl-certificate-management.md index bc2a8eeb0d5bf..1bcec7c77d3ef 100644 --- a/articles/application-gateway/ssl-certificate-management.md +++ b/articles/application-gateway/ssl-certificate-management.md @@ -5,7 +5,7 @@ services: application-gateway author: jaesoni ms.service: application-gateway ms.topic: conceptual -ms.date: 03/01/2023 +ms.date: 03/19/2024 ms.author: jaysoni --- @@ -21,10 +21,7 @@ The TLS/SSL certificates on application gateway are stored in local certificate Here is a sample application gateway configuration. The SSLCertificates property includes certificate object “contoso-agw-cert" linked to a key vault. The “listener1” references that certificate object. -## Understanding the portal section (Preview) - -> [!IMPORTANT] -> The **TLS certificate for Listeners** (TLS termination/End-to-end TLS) is a **Generally available** feature. Only its Portal management experience ([released in March 2023](https://azure.microsoft.com/updates/public-preview-listener-tls-certificates-management-available-in-the-azure-portal/)) is referred to as Preview. +## Understanding the portal section ### Listener SSL certificates diff --git a/articles/application-gateway/toc.yml b/articles/application-gateway/toc.yml index c845856895477..77dcb5d61e991 100644 --- a/articles/application-gateway/toc.yml +++ b/articles/application-gateway/toc.yml @@ -97,7 +97,7 @@ href: mutual-authentication-overview.md - name: Using Key Vault href: key-vault-certs.md - - name: SSL certificate management (preview) + - name: SSL certificate management href: ssl-certificate-management.md - name: Health monitoring items: diff --git a/articles/azure-monitor/app/opentelemetry-enable.md b/articles/azure-monitor/app/opentelemetry-enable.md index b9600526292c5..3388493c79e19 100644 --- a/articles/azure-monitor/app/opentelemetry-enable.md +++ b/articles/azure-monitor/app/opentelemetry-enable.md @@ -288,6 +288,32 @@ Application Insights is now enabled for your application. All the following step As part of using Application Insights instrumentation, we collect and send diagnostic data to Microsoft. This data helps us run and improve Application Insights. To learn more, see [Statsbeat in Azure Application Insights](./statsbeat.md). +## Samples + +Azure Monitor OpenTelemetry sample applications are available for all supported languages. + +#### [ASP.NET Core](#tab/aspnetcore) + +- [ASP.NET Core sample app](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/monitor/Azure.Monitor.OpenTelemetry.AspNetCore/tests/Azure.Monitor.OpenTelemetry.AspNetCore.Demo) + +##### [.NET](#tab/net) + +- [NET sample app](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/monitor/Azure.Monitor.OpenTelemetry.Exporter/tests/Azure.Monitor.OpenTelemetry.Exporter.Demo) + +##### [Java](#tab/java) + +- [Java sample apps](https://github.com/Azure-Samples/ApplicationInsights-Java-Samples) + +##### [Node.js](#tab/nodejs) + +- [Node.js sample app](https://github.com/Azure-Samples/azure-monitor-opentelemetry-node.js) + +##### [Python](#tab/python) + +- [Python sample apps](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/monitor/azure-monitor-opentelemetry/samples) + +--- + ## Next steps ### [ASP.NET Core](#tab/aspnetcore) diff --git a/articles/azure-monitor/containers/container-insights-data-collection-dcr.md b/articles/azure-monitor/containers/container-insights-data-collection-dcr.md index fbd9d9a945107..45eca3aba1181 100644 --- a/articles/azure-monitor/containers/container-insights-data-collection-dcr.md +++ b/articles/azure-monitor/containers/container-insights-data-collection-dcr.md @@ -15,9 +15,8 @@ The DCR is primarily used to configure data collection of performance and invent Specific configuration you can perform with the DCR includes: -- Enable/disable collection and namespace filtering for performance and inventory data +- Enable/disable collection and namespace filtering for performance and inventory data (Use [ConfigMap](./container-insights-data-collection-configmap.md) for namespace filtering of logs.) - Define collection interval for performance and inventory data -- Enable/disable collection of stdout and stderr logs - Enable/disable Syslog collection - Select log schema @@ -87,10 +86,10 @@ The **Collected data** option allows you to select the tables that are populated > [!NOTE] > Minimum version required for Azure CLI is 2.51.0. - - For AKS clusters, [aks-preview](../../aks/cluster-configuration.md) version 0.5.147 or higher - - For Arc enabled Kubernetes and AKS hybrid, [k8s-extension](../../azure-arc/kubernetes/extensions.md#prerequisites) version 1.4.3 or higher - -## AKS cluster +``` +- For AKS clusters, [aks-preview](../../aks/cluster-configuration.md) version 0.5.147 or higher +- For Arc enabled Kubernetes and AKS hybrid, [k8s-extension](../../azure-arc/kubernetes/extensions.md#prerequisites) version 1.4.3 or higher +```## AKS cluster When you use CLI to configure monitoring for your AKS cluster, you provide the configuration as a JSON file using the following format. Each of these settings is described in [Data collection parameters](#data-collection-parameters). @@ -215,7 +214,7 @@ The following table describes the supported data collection settings and the nam |:---|:---| | Collection frequency
CLI: `interval`
ARM: `dataCollectionInterval` | Determines how often the agent collects data. Valid values are 1m - 30m in 1m intervals The default value is 1m. If the value is outside the allowed range, then it defaults to *1 m*. | | Namespace filtering
CLI: `namespaceFilteringMode`
ARM: `namespaceFilteringModeForDataCollection` | *Include*: Collects only data from the values in the *namespaces* field.
*Exclude*: Collects data from all namespaces except for the values in the *namespaces* field.
*Off*: Ignores any *namespace* selections and collect data on all namespaces. -| Namespace filtering
CLI: `namespaces`
ARM: `namespacesForDataCollection` | Array of comma separated Kubernetes namespaces to collect inventory and perf data based on the _namespaceFilteringMode_.
For example, *namespaces = \["kube-system", "default"]* with an _Include_ setting collects only these two namespaces. With an _Exclude_ setting, the agent collects data from all other namespaces except for _kube-system_ and _default_. With an _Off_ setting, the agent collects data from all namespaces including _kube-system_ and _default_. Invalid and unrecognized namespaces are ignored. | +| Namespace filtering
CLI: `namespaces`
ARM: `namespacesForDataCollection` | Array of comma separated Kubernetes namespaces to collect inventory and perf data based on the _namespaceFilteringMode_.
For example, *namespaces = ["kube-system", "default"]* with an _Include_ setting collects only these two namespaces. With an _Exclude_ setting, the agent collects data from all other namespaces except for _kube-system_ and _default_. With an _Off_ setting, the agent collects data from all namespaces including _kube-system_ and _default_. Invalid and unrecognized namespaces are ignored. | | Enable ContainerLogV2
CLI: `enableContainerLogV2`
ARM: `enableContainerLogV2` | Boolean flag to enable ContainerLogV2 schema. If set to true, the stdout/stderr Logs are ingested to [ContainerLogV2](container-insights-logs-schema.md) table. If not, the container logs are ingested to **ContainerLog** table, unless otherwise specified in the ConfigMap. When specifying the individual streams, you must include the corresponding table for ContainerLog or ContainerLogV2. | | Collected Data
CLI: `streams`
ARM: `streams` | An array of container insights table streams. See the supported streams above to table mapping. | diff --git a/articles/azure-monitor/containers/media/prometheus-metrics-troubleshoot/image-pod-monitor-config.png b/articles/azure-monitor/containers/media/prometheus-metrics-troubleshoot/image-pod-monitor-config.png new file mode 100644 index 0000000000000..8cc7db0f10335 Binary files /dev/null and b/articles/azure-monitor/containers/media/prometheus-metrics-troubleshoot/image-pod-monitor-config.png differ diff --git a/articles/azure-monitor/containers/media/prometheus-metrics-troubleshoot/image-pod-service-monitor.png b/articles/azure-monitor/containers/media/prometheus-metrics-troubleshoot/image-pod-service-monitor.png new file mode 100644 index 0000000000000..7b8c9b47c0e13 Binary files /dev/null and b/articles/azure-monitor/containers/media/prometheus-metrics-troubleshoot/image-pod-service-monitor.png differ diff --git a/articles/azure-monitor/containers/media/prometheus-metrics-troubleshoot/image-sd-pod-svc-monitor.png b/articles/azure-monitor/containers/media/prometheus-metrics-troubleshoot/image-sd-pod-svc-monitor.png new file mode 100644 index 0000000000000..f3257560c48f6 Binary files /dev/null and b/articles/azure-monitor/containers/media/prometheus-metrics-troubleshoot/image-sd-pod-svc-monitor.png differ diff --git a/articles/azure-monitor/containers/media/prometheus-metrics-troubleshoot/image-targets-pod-svc-monitor.png b/articles/azure-monitor/containers/media/prometheus-metrics-troubleshoot/image-targets-pod-svc-monitor.png new file mode 100644 index 0000000000000..02a6c01e399e6 Binary files /dev/null and b/articles/azure-monitor/containers/media/prometheus-metrics-troubleshoot/image-targets-pod-svc-monitor.png differ diff --git a/articles/azure-monitor/containers/prometheus-metrics-scrape-configuration.md b/articles/azure-monitor/containers/prometheus-metrics-scrape-configuration.md index 3876f6de0cb4c..0c9244aaef1be 100644 --- a/articles/azure-monitor/containers/prometheus-metrics-scrape-configuration.md +++ b/articles/azure-monitor/containers/prometheus-metrics-scrape-configuration.md @@ -15,7 +15,8 @@ This article provides instructions on customizing metrics scraping for a Kuberne Four different configmaps can be configured to provide scrape configuration and other settings for the metrics add-on. All config-maps should be applied to `kube-system` namespace for any cluster. > [!NOTE] -> None of the four configmaps exist by default in the cluster when Managed Prometheus is enabled. Depending on what needs to be customized, you need to deploy any or all of these four configmaps with the same name specified, in `kube-system` namespace. AMA-Metrics pods will pick up these configmaps after you deploy them to `kube-system` namespace, and will restart in 2-3 minutes to apply the configuration settings specified in the configmap(s). +> None of the four configmaps exist by default in the cluster when Managed Prometheus is enabled. Depending on what needs to be customized, you need to deploy any or all of these four configmaps with the same name specified, in `kube-system` namespace. AMA-Metrics pods will pick up these configmaps after you deploy them to `kube-system` namespace, and will restart in 2-3 minutes to apply the configuration settings specified in the configmap(s). + 1. [`ama-metrics-settings-configmap`](https://aka.ms/azureprometheus-addon-settings-configmap) This config map has below simple settings that can be configured. You can take the configmap from the above git hub repo, change the settings are required and apply/deploy the configmap to `kube-system` namespace for your cluster @@ -25,8 +26,9 @@ Four different configmaps can be configured to provide scrape configuration and * metric keep-lists - this setting is used to control which metrics are listed to be allowed from each default target and to change the default behavior * scrape intervals for default/pre-definetargets. `30 secs` is the default scrape frequency and it can be changed per default target using this configmap * debug-mode - turning this ON helps to debug missing metric/ingestion issues - see more on [troubleshooting](prometheus-metrics-troubleshoot.md#debug-mode) -2. [`ama-metrics-prometheus-config`](https://aka.ms/azureprometheus-addon-rs-configmap) (**Recommended**) +2. [`ama-metrics-prometheus-config`](https://aka.ms/azureprometheus-addon-rs-configmap) This config map can be used to provide Prometheus scrape config for addon replica. Addon runs a singleton replica, and any cluster level services can be discovered and scraped by providing scrape jobs in this configmap. You can take the sample configmap from the above git hub repo, add scrape jobs that you would need and apply/deploy the config map to `kube-system` namespace for your cluster. + **Although this is supported, please note that the recommended way of scraping custom targets is using [custom resources](prometheus-metrics-scrape-configuration.md#custom-resource-definitions)** 3. [`ama-metrics-prometheus-config-node`](https://aka.ms/azureprometheus-addon-ds-configmap) (**Advanced**) This config map can be used to provide Prometheus scrape config for addon DaemonSet that runs on every **Linux** node in the cluster, and any node level targets on each node can be scraped by providing scrape jobs in this configmap. When you use this configmap, you can use `$NODE_IP` variable in your scrape config, which gets substituted by corresponding node's ip address in DaemonSet pod running on each node. This way you get access to scrape anything that runs on that node from the metrics addon DaemonSet. **Please be careful when you use discoveries in scrape config in this node level config map, as every node in the cluster will setup & discover the target(s) and will collect redundant metrics**. You can take the sample configmap from the above git hub repo, add scrape jobs that you would need and apply/deploy the config map to `kube-system` namespace for your cluster @@ -34,6 +36,10 @@ Four different configmaps can be configured to provide scrape configuration and This config map can be used to provide Prometheus scrape config for addon DaemonSet that runs on every **Windows** node in the cluster, and node level targets on each node can be scraped by providing scrape jobs in this configmap. When you use this configmap, you can use `$NODE_IP` variable in your scrape config, which will be substituted by corresponding node's ip address in DaemonSet pod running on each node. This way you get access to scrape anything that runs on that node from the metrics addon DaemonSet. **Please be careful when you use discoveries in scrape config in this node level config map, as every node in the cluster will setup & discover the target(s) and will collect redundant metrics**. You can take the sample configmap from the above git hub repo, add scrape jobs that you would need and apply/deploy the config map to `kube-system` namespace for your cluster +## Custom Resource Definitions +The Azure Monitor metrics add-on supports scraping Prometheus metrics using Prometheus - Pod Monitors and Service Monitors, similar to the OSS Prometheus operator. Enabling the add-on will deploy the Pod and Service Monitor custom resource definitions to allow you to create your own custom resources. +Follow the instructions to [create and apply custom resources](prometheus-metrics-scrape-crd.md) on your cluster. + ## Metrics add-on settings configmap The [ama-metrics-settings-configmap](https://aka.ms/azureprometheus-addon-settings-configmap) can be downloaded, edited, and applied to the cluster to customize the out-of-the-box features of the metrics add-on. @@ -142,17 +148,21 @@ and apply the YAML using the following command: `kubectl apply -f .\ama-metrics- ## Configure custom Prometheus scrape jobs -You can configure the metrics add-on to scrape targets other than the default ones by using the same configuration format as the [Prometheus configuration file](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#configuration-file). - -Follow the instructions to [create, validate, and apply the configmap](prometheus-metrics-scrape-validate.md) for your cluster. - +You can scrape Prometheus metrics using Prometheus - Pod Monitors and Service Monitors(**Recommended**), similar to the OSS Prometheus operator. +Follow the instructions to [create and apply custom resources](prometheus-metrics-scrape-crd.md) on your cluster. +Additionally, you can follow the instructions to [create, validate, and apply the configmap](prometheus-metrics-scrape-validate.md) for your cluster. +The configuration format is similar to [Prometheus configuration file](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#configuration-file). ## Prometheus configuration tips and examples Learn some tips from examples in this section. -### Configuration file for custom scrape config +### [Configuration using CRD for custom scrape config](#tab/CRDConfig) +Use the [Pod and Service Monitor templates](https://github.com/Azure/prometheus-collector/tree/main/otelcollector/customresources) and follow the API specification to create your custom resources([PodMonitor](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#podmonitor) and [Service Monitor](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.ServiceMonitor)). **Note** that the only change required to the existing OSS CRs for being picked up by the Managed Prometheus is the API group - **azmonitoring.coreos.com/v1**. See [here](prometheus-metrics-scrape-crd.md) to learn more + + +### [Configuration file for custom scrape config](#tab/ConfigFile) The configuration format is the same as the [Prometheus configuration file](https://aka.ms/azureprometheus-promioconfig). Currently, the following sections are supported: @@ -172,10 +182,143 @@ Any other unsupported sections must be removed from the config before they're ap See the [Apply config file](prometheus-metrics-scrape-validate.md#deploy-config-file-as-configmap) section to create a configmap from the Prometheus config. +--- + > [!NOTE] > When custom scrape configuration fails to apply because of validation errors, default scrape configuration continues to be used. +> If you want to use global settings that apply to all the scrape jobs, and only have [Custom Resources](prometheus-metrics-scrape-crd.md) you would still need to create a configmap with just the global settings(Settings for each of these in the custom resources will override the ones in the global section) + + ## Scrape configs +### [Scrape Configs using CRD](#tab/CRDScrapeConfig) +Currently, the supported methods of target discovery for custom resources are pod and service monitor + +#### Pod and Service Monitors +Targets discovered using pod and service monitors have different `__meta_*` labels depending on what monitor is used. You can use the labels in the `relabelings` section to filter targets or replace labels for the targets. + +See the [Pod and Service Monitor examples](https://github.com/Azure/prometheus-collector/tree/main/otelcollector/deploy/example-custom-resources) of pod and service monitors. + +### Relabelings +The `relabelings` section is applied at the time of target discovery and applies to each target for the job. The following examples show ways to use `relabelings`. + +#### Add a label +Add a new label called `example_label` with the value `example_value` to every metric of the job. Use `__address__` as the source label only because that label always exists and adds the label for every target of the job. + +```yaml +relabelings: +- sourceLabels: [__address__] + targetLabel: example_label + replacement: 'example_value' +``` + +#### Use Pod or Service Monitor labels + +Targets discovered using pod and service monitors have different `__meta_*` labels depending on what monitor is used. The `__*` labels are dropped after discovering the targets. To filter by using them at the metrics level, first keep them using `relabelings` by assigning a label name. Then use `metricRelabelings` to filter. + +```yaml +# Use the kubernetes namespace as a label called 'kubernetes_namespace' +relabelings: +- sourceLabels: [__meta_kubernetes_namespace] + action: replace + targetLabel: kubernetes_namespace + +# Keep only metrics with the kubernetes namespace 'default' +metricRelabelings: +- sourceLabels: [kubernetes_namespace] + action: keep + regex: 'default' +``` + +#### Job and instance relabeling + +You can change the `job` and `instance` label values based on the source label, just like any other label. + +```yaml +# Replace the job name with the pod label 'k8s app' +relabelings: +- sourceLabels: [__meta_kubernetes_pod_label_k8s_app] + targetLabel: job + +# Replace the instance name with the node name. This is helpful to replace a node IP +# and port with a value that is more readable +relabelings: +- sourceLabels: [__meta_kubernetes_node_name]] + targetLabel: instance +``` + +### Metric Relabelings + +Metric relabelings are applied after scraping and before ingestion. Use the `metricRelabelings` section to filter metrics after scraping. The following examples show how to do so. + +#### Drop metrics by name + +```yaml +# Drop the metric named 'example_metric_name' +metricRelabelings: +- sourceLabels: [__name__] + action: drop + regex: 'example_metric_name' +``` + +#### Keep only certain metrics by name + +```yaml +# Keep only the metric named 'example_metric_name' +metricRelabelings: +- sourceLabels: [__name__] + action: keep + regex: 'example_metric_name' +``` + +```yaml +# Keep only metrics that start with 'example_' +metricRelabelings: +- sourceLabels: [__name__] + action: keep + regex: '(example_.*)' +``` + +#### Rename metrics +Metric renaming isn't supported. + +#### Filter metrics by labels + +```yaml +# Keep metrics only where example_label = 'example' +metricRelabelings: +- sourceLabels: [example_label] + action: keep + regex: 'example' +``` + +```yaml +# Keep metrics only if `example_label` equals `value_1` or `value_2` +metricRelabelings: +- sourceLabels: [example_label] + action: keep + regex: '(value_1|value_2)' +``` + +```yaml +# Keep metrics only if `example_label_1 = value_1` and `example_label_2 = value_2` +metricRelabelings: +- sourceLabels: [example_label_1, example_label_2] + separator: ';' + action: keep + regex: 'value_1;value_2' +``` + +```yaml +# Keep metrics only if `example_label` exists as a label +metricRelabelings: +- sourceLabels: [example_label_1] + action: keep + regex: '.+' +``` + + +### [Scrape Configs using Config file](#tab/ConfigFileScrapeConfig) Currently, the supported methods of target discovery for a [scrape config](https://aka.ms/azureprometheus-promioconfig-scrape) are either [`static_configs`](https://aka.ms/azureprometheus-promioconfig-static) or [`kubernetes_sd_configs`](https://aka.ms/azureprometheus-promioconfig-sdk8s) for specifying or discovering targets. #### Static config @@ -313,6 +456,8 @@ metric_relabel_configs: regex: '.+' ``` +--- + ### TLS based scraping If you have a Prometheus instance served with TLS and you want to scrape metrics from it, you need to set scheme to `https` and set the TLS settings in your configmap or respective CRD. You can use the `tls_config` configuration property inside a custom scrape job to configure the TLS settings either using a CRD or a configmap. You need to provide a CA certificate to validate API server certificate with. The CA certificate is used to verify the authenticity of the server's certificate when Prometheus connects to the target over TLS. It helps ensure that the server's certificate is signed by a trusted authority. diff --git a/articles/azure-monitor/containers/prometheus-metrics-scrape-crd.md b/articles/azure-monitor/containers/prometheus-metrics-scrape-crd.md new file mode 100644 index 0000000000000..ed109084c119b --- /dev/null +++ b/articles/azure-monitor/containers/prometheus-metrics-scrape-crd.md @@ -0,0 +1,118 @@ +--- +title: Create and apply Pod and Service Monitors for Prometheus metrics in Azure Monitor +description: Describes how to create and apply pod and service monitors to scrape Prometheus metrics in Azure Monitor to Kubernetes cluster. +ms.topic: conceptual +ms.date: 3/13/2024 +ms.reviewer: aul +--- +# Custom Resource Definitions +The enablement of managed prometheus automatically deploys the custom resource definitions (CRD) for [pod monitors](https://github.com/Azure/prometheus-collector/blob/main/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-podmonitor-crd.yaml) and [service monitors](https://github.com/Azure/prometheus-collector/blob/main/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-servicemonitor-crd.yaml). These custom resource definitions are the same custom resource definitions (CRD) as [OSS Pod monitors](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.PodMonitor) and [OSS service monitors](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.ServiceMonitor) for Prometheus, except for a change in the group name. If you have existing Prometheus CRDs and custom resources on your cluster, these CRDs won't conflict with the CRDs created by the add-on. At the same time, the managed Prometheus addon does not pick up the CRDs created for the OSS Prometheus. This separation is intentional for the purposes of isolation of scrape jobs. + +### Create a Pod or Service Monitor +Use the [Pod and Service Monitor templates](https://github.com/Azure/prometheus-collector/tree/main/otelcollector/customresources) and follow the API specification to create your custom resources([PodMonitor](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#podmonitor) and [Service Monitor](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.ServiceMonitor)). **Note** that the only change required to the existing OSS CRs(Custom Resources) for being picked up by the Managed Prometheus is the API group - **azmonitoring.coreos.com/v1**. +>Note - Please make sure to use the **labelLimit, labelNameLengthLimit and labelValueLengthLimit** specified in the templates so that they are not dropped during processing. + +Your pod and service monitors should look like the following examples: + +#### Example Pod Monitor - + +```yaml +# Note the API version is azmonitoring.coreos.com/v1 instead of monitoring.coreos.com/v1 +apiVersion: azmonitoring.coreos.com/v1 +kind: PodMonitor + +# Can be deployed in any namespace +metadata: + name: reference-app + namespace: app-namespace +spec: + labelLimit: 63 + labelNameLengthLimit: 511 + labelValueLengthLimit: 1023 + + # The selector specifies which pods to filter for + selector: + + # Filter by pod labels + matchLabels: + environment: test + matchExpressions: + - key: app + operator: In + values: [app-frontend, app-backend] + + # [Optional] Filter by pod namespace + namespaceSelector: + matchNames: [app-frontend, app-backend] + + # [Optional] Labels on the pod with these keys will be added as labels to each metric scraped + podTargetLabels: [app, region, environment] + + # Multiple pod endpoints can be specified. Port requires a named port. + podMetricsEndpoints: + - port: metrics +``` +#### Example Service Monitor - +```yaml +# Note the API version is azmonitoring.coreos.com/v1 instead of monitoring.coreos.com/v1 +apiVersion: azmonitoring.coreos.com/v1 +kind: ServiceMonitor + +# Can be deployed in any namespace +metadata: + name: reference-app + namespace: app-namespace +spec: + labelLimit: 63 + labelNameLengthLimit: 511 + labelValueLengthLimit: 1023 + + # The selector filters endpoints by service labels. + selector: + matchLabels: + app: reference-app + + # Multiple endpoints can be specified. Port requires a named port. + endpoints: + - port: metrics +``` + +### Deploy a Pod or Service Monitor +You can then deploy the pod or service monitor using kubectl apply. + + +When applied, any errors in the custom resources should show up and the pod or service monitors should fail to apply. +A successful pod monitor creation looks like the following - +```bash +podmonitor.azmonitoring.coreos.com/my-pod-monitor created +``` + +### Examples +#### Create a sample application +Deploy a sample application exposing prometheus metrics to be configured by pod/service monitor. + +```bash +kubectl apply -f https://github.com/Azure/prometheus-collector/blob/main/internal/referenceapp/prometheus-reference-app.yaml +``` + +#### Create a pod monitor and/or service monitor to scrape metrics +Deploy a pod monitor that is configured to scrape metrics from the example application from the previous step. + +##### Pod Monitor +```bash +kubectl apply -f https://github.com/Azure/prometheus-collector/blob/main/otelcollector/deploy/example-custom-resources/pod-monitor/pod-monitor-reference-app.yaml +``` + +##### Service Monitor +```bash +kubectl apply -f https://github.com/Azure/prometheus-collector/blob/main/otelcollector/deploy/example-custom-resources/service-monitor/service-monitor-reference-app.yaml +``` + +### Troubleshooting +When the pod or service monitors are successfully applied, if you want to make sure that the pod or service monitor targets get picked up by the addon, follow the instructions [here](prometheus-metrics-troubleshoot.md#prometheus-interface) for general troubleshooting of custom resources and also to ensure the targets show up in 127.0.0.1/targets. + + :::image type="content" source="media/prometheus-metrics-troubleshoot/image-pod-service-monitor.png" alt-text="Screenshot showing targets for pod/service monitor" lightbox="media/prometheus-metrics-troubleshoot/image-pod-service-monitor.png"::: + +## Next steps + +- [Learn more about collecting Prometheus metrics](../essentials/prometheus-metrics-overview.md). diff --git a/articles/azure-monitor/containers/prometheus-metrics-troubleshoot.md b/articles/azure-monitor/containers/prometheus-metrics-troubleshoot.md index 36975c0a4e074..ffa79d4879779 100644 --- a/articles/azure-monitor/containers/prometheus-metrics-troubleshoot.md +++ b/articles/azure-monitor/containers/prometheus-metrics-troubleshoot.md @@ -10,7 +10,7 @@ ms.reviewer: aul Follow the steps in this article to determine the cause of Prometheus metrics not being collected as expected in Azure Monitor. -Replica pod scrapes metrics from `kube-state-metrics` and custom scrape targets in the `ama-metrics-prometheus-config` configmap. DaemonSet pods scrape metrics from the following targets on their respective node: `kubelet`, `cAdvisor`, `node-exporter`, and custom scrape targets in the `ama-metrics-prometheus-config-node` configmap. The pod that you want to view the logs and the Prometheus UI for it depends on which scrape target you're investigating. +Replica pod scrapes metrics from `kube-state-metrics`, custom scrape targets in the `ama-metrics-prometheus-config` configmap and custom scrape targets defined in the [Custom Resources](prometheus-metrics-scrape-crd.md). DaemonSet pods scrape metrics from the following targets on their respective node: `kubelet`, `cAdvisor`, `node-exporter`, and custom scrape targets in the `ama-metrics-prometheus-config-node` configmap. The pod that you want to view the logs and the Prometheus UI for it depends on which scrape target you're investigating. ## Troubleshoot using powershell script @@ -36,8 +36,8 @@ Check the pod status with the following command: kubectl get pods -n kube-system | grep ama-metrics ``` -- There should be one `ama-metrics-xxxxxxxxxx-xxxxx` replica pod, one `ama-metrics-ksm-*` pod, and an `ama-metrics-node-*` pod for each node on the cluster. -- Each pod state should be `Running` and have an equal number of restarts to the number of configmap changes that have been applied: +- There should be one `ama-metrics-xxxxxxxxxx-xxxxx` replica pod, one `ama-metrics-operator-targets-*`, one `ama-metrics-ksm-*` pod, and an `ama-metrics-node-*` pod for each node on the cluster. +- Each pod state should be `Running` and have an equal number of restarts to the number of configmap changes that have been applied. The ama-metrics-operator-targets-* pod might have an extra restart at the beginning and this is expected: :::image type="content" source="media/prometheus-metrics-troubleshoot/pod-status.png" alt-text="Screenshot showing pod status." lightbox="media/prometheus-metrics-troubleshoot/pod-status.png"::: @@ -66,6 +66,14 @@ kubectl logs -n kube-system -c prometheus-collector - If so, check that the Data Collection Rule and Data Collection Endpoint exist in your resource group. - Also verify that the Azure Monitor Workspace exists. - Verify that you don't have a private AKS cluster and that it's not linked to an Azure Monitor Private Link Scope for any other service. This scenario is currently not supported. + +### Config Processing +View the container logs with the following command: + +``` +kubectl logs -n kube-system -c config-reader +``` + - Verify there are no errors with parsing the Prometheus config, merging with any default scrape targets enabled, and validating the full config. - If you did include a custom Prometheus config, verify that it's recognized in the logs. If not: - Verify that your configmap has the correct name: `ama-metrics-prometheus-config` in the `kube-system` namespace. @@ -81,6 +89,10 @@ kubectl logs -n kube-system -c prometheus-collector scrape_configs: - job_name: ``` +- If you did create [Custom Resources](prometheus-metrics-scrape-crd.md), you should have seen any validation errors during the creation of pod/service monitors. If you still don't see the metrics from the targets make sure that the logs show no errors. +``` +kubectl logs -n kube-system -c targetallocator +``` - Verify there are no errors from `MetricsExtension` regarding authenticating with the Azure Monitor workspace. - Verify there are no errors from the `OpenTelemetry collector` about scraping the targets. @@ -97,14 +109,15 @@ If there are no errors in the logs, the Prometheus interface can be used for deb ## Prometheus interface -Every `ama-metrics-*` pod has the Prometheus Agent mode User Interface available on port 9090. Port-forward into either the replica pod or one of the daemon set pods to check the config, service discovery and targets endpoints as described here to verify the custom configs are correct, the intended targets have been discovered for each job, and there are no errors with scraping specific targets. +Every `ama-metrics-*` pod has the Prometheus Agent mode User Interface available on port 9090. +Custom config and [Custom Resources](prometheus-metrics-scrape-crd.md) targets are scraped by the `ama-metrics-*` pod and the node targets by the `ama-metrics-node-*` pod. +Port-forward into either the replica pod or one of the daemon set pods to check the config, service discovery and targets endpoints as described here to verify the custom configs are correct, the intended targets have been discovered for each job, and there are no errors with scraping specific targets. Run the command `kubectl port-forward -n kube-system 9090`. - Open a browser to the address `127.0.0.1:9090/config`. This user interface has the full scrape configuration. Verify all jobs are included in the config. :::image type="content" source="media/prometheus-metrics-troubleshoot/config-ui.png" alt-text="Screenshot showing configuration jobs." lightbox="media/prometheus-metrics-troubleshoot/config-ui.png"::: - - Go to `127.0.0.1:9090/service-discovery` to view the targets discovered by the service discovery object specified and what the relabel_configs have filtered the targets to be. For example, when missing metrics from a certain pod, you can find if that pod was discovered and what its URI is. You can then use this URI when looking at the targets to see if there are any scrape errors. :::image type="content" source="media/prometheus-metrics-troubleshoot/service-discovery.png" alt-text="Screenshot showing service discovery." lightbox="media/prometheus-metrics-troubleshoot/service-discovery.png"::: @@ -112,6 +125,19 @@ Run the command `kubectl port-forward -n kube-system 9090`. - Go to `127.0.0.1:9090/targets` to view all jobs, the last time the endpoint for that job was scraped, and any errors :::image type="content" source="media/prometheus-metrics-troubleshoot/targets.png" alt-text="Screenshot showing targets." lightbox="media/prometheus-metrics-troubleshoot/targets.png"::: +### Custom Resources +- If you did include [Custom Resources](prometheus-metrics-scrape-crd.md), make sure they show up under configuration, service discovery and targets. + +#### Configuration +:::image type="content" source="media/prometheus-metrics-troubleshoot/image-pod-monitor-config.png" alt-text="Screenshot showing configuration jobs for pod monitor." lightbox="media/prometheus-metrics-troubleshoot/image-pod-monitor-config.png"::: + +#### Service Discovery +:::image type="content" source="media/prometheus-metrics-troubleshoot/image-sd-pod-svc-monitor.png" alt-text="Screenshot showing sd for pod monitor." lightbox="media/prometheus-metrics-troubleshoot/image-sd-pod-svc-monitor.png"::: + +#### Targets +:::image type="content" source="media/prometheus-metrics-troubleshoot/image-targets-pod-svc-monitor.png" alt-text="Screenshot showing targets for pod monitor." lightbox="media/prometheus-metrics-troubleshoot/image-targets-pod-svc-monitor.png"::: + + If there are no issues and the intended targets are being scraped, you can view the exact metrics being scraped by enabling debug mode. ## Debug mode diff --git a/articles/azure-monitor/toc.yml b/articles/azure-monitor/toc.yml index 52500bf17ea50..18565c5a2e8a9 100644 --- a/articles/azure-monitor/toc.yml +++ b/articles/azure-monitor/toc.yml @@ -490,6 +490,9 @@ items: - name: Custom configuration displayName: Prometheus href: containers/prometheus-metrics-scrape-configuration.md + - name: Custom Resouce Definition + displayName: Prometheus + href: containers/prometheus-metrics-scrape-crd.md - name: Create and validate custom scrape config displayName: Prometheus href: containers/prometheus-metrics-scrape-validate.md diff --git a/articles/backup/backup-azure-vm-backup-faq.yml b/articles/backup/backup-azure-vm-backup-faq.yml index 2794d785bea20..5a2bc76ac0aa1 100644 --- a/articles/backup/backup-azure-vm-backup-faq.yml +++ b/articles/backup/backup-azure-vm-backup-faq.yml @@ -4,7 +4,7 @@ metadata: description: In this article, discover answers to common questions about backing up Azure VMs with the Azure Backup service. ms.topic: faq ms.service: backup - ms.date: 01/24/2024 + ms.date: 03/19/2024 author: AbhishekMallick-MS ms.author: v-abhmallick @@ -392,7 +392,9 @@ sections: answer: | Backup data fully replicated to the secondary region before the failure of the primary region will remain intact. This remains the case even after the primary region has recovered from the failure. In other words, the virtual machine can be recovered in the secondary region with the data it had before the failure as per the replication schedule. Note that the RPO for the secondary region is 36 hours i.e., data takes approximately 36 hours to be fully replicated from primary to the secondary region. - + - question: When I update the backup policy, why is the expiry time not getting updated immediately? + answer: | + **Expiry Time** of recovery points are updated when Garbage Collector (GC) runs, which is *every 24 hours*. Once you update the backup policy, it can take up to *24 hours* to show the updates in the **Expiry Time**, if there're no delays in GC jobs. diff --git a/articles/confidential-computing/quick-create-confidential-vm-arm.md b/articles/confidential-computing/quick-create-confidential-vm-arm.md index a10c1bc6d6ca7..48234fd53e30c 100644 --- a/articles/confidential-computing/quick-create-confidential-vm-arm.md +++ b/articles/confidential-computing/quick-create-confidential-vm-arm.md @@ -166,11 +166,11 @@ Use this example to create a custom parameter file for a Linux-based confidentia 1. Grant confidential VM Service Principal `Confidential VM Orchestrator` to tenant - For this step you need to be a Global Admin or you need to have the User Access Administrator RBAC role. + For this step you need to be a Global Admin or you need to have the User Access Administrator RBAC role. [Install Microsoft Graph SDK](/powershell/microsoftgraph/installation) to execute the commands below. - ```azurecli-interactive - Connect-AzureAD -Tenant "your tenant ID" - New-AzureADServicePrincipal -AppId bf7b6499-ff71-4aa2-97a4-f372087be7f0 -DisplayName "Confidential VM Orchestrator" + ```Powershell + Connect-Graph -Tenant "your tenant ID" Application.ReadWrite.All + New-MgServicePrincipal -AppId bf7b6499-ff71-4aa2-97a4-f372087be7f0 -DisplayName "Confidential VM Orchestrator" ``` 1. Set up your Azure key vault. For how to use an Azure Key Vault Managed HSM instead, see the next step. diff --git a/articles/confidential-computing/quick-create-confidential-vm-portal.md b/articles/confidential-computing/quick-create-confidential-vm-portal.md index 5b3f76eb766c4..810346d4471f3 100644 --- a/articles/confidential-computing/quick-create-confidential-vm-portal.md +++ b/articles/confidential-computing/quick-create-confidential-vm-portal.md @@ -23,11 +23,11 @@ You can use the Azure portal to create a [confidential VM](confidential-vm-overv - An Azure subscription. Free trial accounts don't have access to the VMs used in this tutorial. One option is to use a [pay as you go subscription](https://azure.microsoft.com/pricing/purchase-options/pay-as-you-go/). - If you're using a Linux-based confidential VM, use a BASH shell for SSH or install an SSH client, such as [PuTTY](https://www.chiark.greenend.org.uk/~sgtatham/putty/download.html). -- If Confidential disk encryption with a customer-managed key is required, please run below command to opt in service principal `Confidential VM Orchestrator` to your tenant. +- If Confidential disk encryption with a customer-managed key is required, please run below command to opt in service principal `Confidential VM Orchestrator` to your tenant. [Install Microsoft Graph SDK](/powershell/microsoftgraph/installation) to execute the commands below. - ```azurecli - Connect-AzureAD -Tenant "your tenant ID" - New-AzureADServicePrincipal -AppId bf7b6499-ff71-4aa2-97a4-f372087be7f0 -DisplayName "Confidential VM Orchestrator" + ```Powershell + Connect-Graph -Tenant "your tenant ID" Application.ReadWrite.All + New-MgServicePrincipal -AppId bf7b6499-ff71-4aa2-97a4-f372087be7f0 -DisplayName "Confidential VM Orchestrator" ``` ## Create confidential VM diff --git a/articles/copilot/capabilities.md b/articles/copilot/capabilities.md index 45fbb58eb9d28..b313a1b3062fc 100644 --- a/articles/copilot/capabilities.md +++ b/articles/copilot/capabilities.md @@ -1,7 +1,7 @@ --- title: Microsoft Copilot for Azure (preview) capabilities description: Learn about the things you can do with Microsoft Copilot for Azure (preview). -ms.date: 03/06/2024 +ms.date: 03/18/2024 ms.topic: conceptual ms.service: copilot-for-azure ms.custom: @@ -31,6 +31,7 @@ Use Microsoft Copilot for Azure (preview) to perform many basic tasks. There are - [Get information about Azure Monitor metrics and logs](get-monitoring-information.md) - [Work smarter with Azure Stack HCI](work-smarter-edge.md) - [Secure and protect storage accounts](improve-storage-accounts.md) + - [Improve Azure SQL Database-driven applications](/azure/azure-sql/copilot/copilot-azure-sql-overview#microsoft-copilot-for-azure-enhanced-scenarios) - Write and optimize code: - [Generate Azure CLI scripts](generate-cli-scripts.md) - [Discover performance recommendations with Code Optimizations](optimize-code-application-insights.md) @@ -38,6 +39,9 @@ Use Microsoft Copilot for Azure (preview) to perform many basic tasks. There are - [Generate Kubernetes YAML files](generate-kubernetes-yaml.md) - [Troubleshoot apps faster with App Service](troubleshoot-app-service.md) +> [!NOTE] +> Microsoft Copilot for Azure (preview) includes access to Copilot in Azure SQL Database (preview). This offering can help you streamline the design, operation, optimization, and health of Azure SQL Database-driven applications. It improves productivity in the Azure portal by offering natural language to SQL conversion and self-help for database administration. For more information, see [Copilot in Azure SQL Database (preview)](https://aka.ms/sqlcopilot). + ## Get information From anywhere in the Azure portal, you can ask Microsoft Copilot for Azure (preview) to explain more about Azure concepts, services, or offerings. You can ask questions to learn which services are best suited for your workloads, or learn which configurations best meet your budgets, security, and scale requirements. Copilot can guide you to the right user experience or even author scripts and other artifacts that you can use to deploy your solutions. Answers are grounded in the latest Azure documentation, so you can get up-to-date guidance just by asking a question. diff --git a/articles/data-factory/data-flow-troubleshoot-connector-format.md b/articles/data-factory/data-flow-troubleshoot-connector-format.md index e5d60fa9ce7d4..611c704e76484 100644 --- a/articles/data-factory/data-flow-troubleshoot-connector-format.md +++ b/articles/data-factory/data-flow-troubleshoot-connector-format.md @@ -7,7 +7,7 @@ ms.reviewer: wiassaf ms.service: data-factory ms.subservice: data-flows ms.topic: troubleshooting -ms.date: 07/17/2023 +ms.date: 03/19/2024 --- @@ -21,13 +21,13 @@ This article explores troubleshooting methods related to connector and format fo #### Symptoms -In data flows, if you use Azure Blob Storage (general purpose v1) with the service principal or MI authentication, you may encounter the following error message: +In data flows, if you use Azure Blob Storage (general purpose v1) with the service principal or MI authentication, you might encounter the following error message: `com.microsoft.dataflow.broker.InvalidOperationException: ServicePrincipal and MI auth are not supported if blob storage kind is Storage (general purpose v1)` #### Cause -When you use the Azure Blob linked service in data flows, the managed identity or service principal authentication is not supported when the account kind is empty or "Storage". This situation is shown in Image 1 and Image 2 below. +When you use the Azure Blob linked service in data flows, the managed identity or service principal authentication isn't supported when the account kind is empty or **Storage**. This situation is shown in Image 1 and Image 2 below. Image 1: The account kind in the Azure Blob Storage linked service @@ -42,7 +42,7 @@ Image 2: Storage account page To solve this issue, refer to the following recommendations: -- If the storage account kind is **None** in the Azure Blob linked service, specify the proper account kind, and refer to Image 3 shown below to accomplish it. Furthermore, refer to Image 2 to get the storage account kind, and check and confirm the account kind is not Storage (general purpose v1). +- If the storage account kind is **None** in the Azure Blob linked service, specify the proper account kind, and refer to Image 3 that follows to accomplish it. Furthermore, refer to Image 2 to get the storage account kind, and check and confirm the account kind isn't Storage (general purpose v1). Image 3: Specify the storage account kind in the Azure Blob Storage linked service @@ -60,17 +60,17 @@ To solve this issue, refer to the following recommendations: ### Support customized schemas in the source #### Symptoms -When you want to use the ADF data flow to move or transfer data from Azure Cosmos DB/JSON into other data stores, some columns of the source data may be missed.  +When you want to use the ADF data flow to move or transfer data from Azure Cosmos DB/JSON into other data stores, some columns of the source data might be missed. -#### Cause  -For the schema-free connectors (the column number, column name and column data type of each row can be different when comparing with others), by default, ADF uses sample rows (for example, top 100 or 1000 rows data) to infer the schema, and the inferred result will be used as a schema to read data. So if your data stores have extra columns that don't appear in sample rows, the data of these extra columns are not read, moved, or transferred into sink data stores. +#### Cause +For the schema-free connectors (the column number, column name and column data type of each row can be different when comparing with others), by default, ADF uses sample rows (for example, top 100 or 1,000 rows data) to infer the schema, and the inferred result are used as a schema to read data. So if your data stores have extra columns that don't appear in sample rows, the data of these extra columns aren't read, moved, or transferred into sink data stores. #### Recommendation -To overwrite the default behavior and bring in additional fields, ADF provides options for you to customize the source schema. You can specify additional/missing columns that could be missing in schema-infer-result in the data flow source projection to read the data, and you can apply one of the following options to set the customized schema. Usually, **Option-1** is more preferred. +To overwrite the default behavior and bring in other fields, ADF provides options for you to customize the source schema. You can specify additional/missing columns that could be missing in schema-infer-result in the data flow source projection to read the data, and you can apply one of the following options to set the customized schema. Usually, **Option-1** is more preferred. -- **Option-1**: Compared with the original source data that may be one large file, table, or container that contains millions of rows with complex schemas, you can create a temporary table/container with a few rows that contain all the columns you want to read, and then move on to the following operation:  +- **Option-1**: Compared with the original source data that might be one large file, table, or container that contains millions of rows with complex schemas, you can create a temporary table/container with a few rows that contain all the columns you want to read, and then move on to the following operation: - 1. Use the data flow source **Debug Settings** to have **Import projection** with sample files/tables to get the complete schema. You can follow the steps in the following picture:
+ 1. Use the data flow source **Debug Settings** to have **Import projection** with sample files/tables to get the complete schema. You can follow the steps in the following picture:
:::image type="content" source="./media/data-flow-troubleshoot-connector-format/customize-schema-option-1-1.png" alt-text="Screenshot that shows the first part of the first option to customize the source schema.":::
1. Select **Debug settings** in the data flow canvas. @@ -85,21 +85,21 @@ To overwrite the default behavior and bring in additional fields, ADF provides o 1. In the pop-up pane, select **Source dataset** under the **cosmosSource** tab. 1. Select **Save** to save your settings.
- Afterwards, the ADF data flow runtime will honor and use the customized schema to read data from the original data store. 
+ Afterwards, the ADF data flow runtime will honor and use the customized schema to read data from the original data store.
-- **Option-2**: If you are familiar with the schema and DSL language of the source data, you can manually update the data flow source script to add additional/missed columns to read the data. An example is shown in the following picture: +- **Option-2**: If you're familiar with the schema and DSL language of the source data, you can manually update the data flow source script to add additional/missed columns to read the data. An example is shown in the following picture: :::image type="content" source="./media/data-flow-troubleshoot-connector-format/customize-schema-option-2.png" alt-text="Screenshot that shows the second option to customize the source schema."::: ### Support map type in the source #### Symptoms -In ADF data flows, map data type cannot be directly supported in Azure Cosmos DB or JSON source, so you cannot get the map data type under "Import projection". +In ADF data flows, map data type can't be directly supported in Azure Cosmos DB or JSON source, so you can't get the map data type under "Import projection". #### Cause -For Azure Cosmos DB and JSON, they are schema-free connectivity and related spark connector uses sample data to infer the schema, and then that schema is used as the Azure Cosmos DB/JSON source schema. When inferring the schema, the Azure Cosmos DB/JSON Spark connector can only infer object data as a struct rather than a map data type, and that's why map type cannot be directly supported. +For Azure Cosmos DB and JSON, they're schema-free connectivity and related spark connector uses sample data to infer the schema, and then that schema is used as the Azure Cosmos DB/JSON source schema. When inferring the schema, the Azure Cosmos DB/JSON Spark connector can only infer object data as a struct rather than a map data type, and that's why map type can't be directly supported. -#### Recommendation  +#### Recommendation To solve this issue, refer to the following examples and steps to manually update the script (DSL) of the Azure Cosmos DB/JSON source to get the map data type support. **Examples**: @@ -118,11 +118,11 @@ The map type support: |Type |Is the map type supported? |Comments| |-------------------------|-----------|------------| -|Excel, CSV |No |Both are tabular data sources with the primitive type, so there is no need to support the map type. | +|Excel, CSV |No |Both are tabular data sources with the primitive type, so there's no need to support the map type. | |Orc, Avro |Yes |None.| -|JSON|Yes |The map type cannot be directly supported, follow the recommendation part in this section to update the script (DSL) under the source projection.| -|Azure Cosmos DB |Yes |The map type cannot be directly supported, follow the recommendation part in this section to update the script (DSL) under the source projection.| -|Parquet |Yes |Today the complex data type is not supported on the parquet dataset, so you need to use the "Import projection" under the data flow parquet source to get the map type.| +|JSON|Yes |The map type can't be directly supported. Follow the recommendation part in this section to update the script (DSL) under the source projection.| +|Azure Cosmos DB |Yes |The map type can't be directly supported. Follow the recommendation part in this section to update the script (DSL) under the source projection.| +|Parquet |Yes |Today the complex data type isn't supported on the parquet dataset, so you need to use the "Import projection" under the data flow parquet source to get the map type.| |XML |No |None.| ### Consume JSON files generated by copy activities @@ -141,7 +141,7 @@ There are following limitations on JSON for copy and data flows respectively: :::image type="content" source="./media/data-flow-troubleshoot-connector-format/enabled-single-document.png" alt-text="Screenshot that shows the enabled 'Single document'."::: -So you will experience issues if the following criteria are met: +So you might experience issues if the following criteria are met: - The sink dataset used by the copy activity is set to Unicode encoding (utf-8, utf-16, utf-16be, utf-32, utf-32be) or the default is used. - The copy sink is set to use "Array of objects" file pattern as shown in the following picture, no matter whether "Single document" is enabled or not in the data flow JSON source. @@ -156,7 +156,7 @@ So you will experience issues if the following criteria are met: >[!Note] > Using "Set of objects" is also the recommended practice from the performance perspective. As the "Single document" JSON in the data flow can't enable parallel reading for single large files, this recommendation does not have any negative impact. -### The query with parameters does not work +### The query with parameters doesn't work #### Symptoms @@ -185,19 +185,19 @@ For example: ### Fail to create files with service principle authentication #### Symptoms -When you try to move or transfer data from different sources into the ADLS gen1 sink, if the linked service's authentication method is service principle authentication, your job may fail with the following error message: +When you try to move or transfer data from different sources into the ADLS gen1 sink, if the linked service's authentication method is service principle authentication, your job might fail with the following error message: `org.apache.hadoop.security.AccessControlException: CREATE failed with error 0x83090aa2 (Forbidden. ACL verification failed. Either the resource does not exist or the user is not authorized to perform the requested operation.). [2b5e5d92-xxxx-xxxx-xxxx-db4ce6fa0487] failed with error 0x83090aa2 (Forbidden. ACL verification failed. Either the resource does not exist or the user is not authorized to perform the requested operation.)` #### Cause -The RWX permission or the dataset property is not set correctly. +The RWX permission or the dataset property isn't set correctly. #### Recommendation - If the target folder doesn't have correct permissions, refer to this document to assign the correct permission in Gen1: [Use service principal authentication](./connector-azure-data-lake-store.md#use-service-principal-authentication). -- If the target folder has the correct permission and you use the file name property in the data flow to target to the right folder and file name, but the file path property of the dataset is not set to the target file path (usually leave not set), as the example shown in the following pictures, you will encounter this failure because the backend system tries to create files based on the file path of the dataset, and the file path of the dataset doesn't have the correct permission. +- If the target folder has the correct permission and you use the file name property in the data flow to target to the right folder and file name, but the file path property of the dataset isn't set to the target file path (usually leave not set), as the example shown in the following pictures, you encounter this failure because the backend system tries to create files based on the file path of the dataset, and the file path of the dataset doesn't have the correct permission. :::image type="content" source="./media/data-flow-troubleshoot-connector-format/file-path-property.png" alt-text="Screenshot that shows the file path property."::: @@ -210,35 +210,35 @@ The RWX permission or the dataset property is not set correctly. ## Azure Data Lake Storage Gen2 -### Failed with an error: "Error while reading file XXX. It is possible the underlying files have been updated" +### Failed with an error: "Error while reading file XXX. It's possible the underlying files have been updated." #### Symptoms -When you use the ADLS Gen2 as a sink in the data flow (to preview data, debug/trigger run, etc.) and the partition setting in **Optimize** tab in the **Sink** stage is not default, you may find job fail with the following error message: +When you use the ADLS Gen2 as a sink in the data flow (to preview data, debug/trigger run, etc.) and the partition setting in **Optimize** tab in the **Sink** stage isn't default, you might find the job fails with the following error message: `Job failed due to reason: Error while reading file abfss:REDACTED_LOCAL_PART@prod.dfs.core.windows.net/import/data/e3342084-930c-4f08-9975-558a3116a1a9/part-00000-tid-7848242374008877624-5df7454e-7b14-4253-a20b-d20b63fe9983-1-1-c000.csv. It is possible the underlying files have been updated. You can explicitly invalidate the cache in Spark by running 'REFRESH TABLE tableName' command in SQL or by recreating the Dataset/DataFrame involved.` #### Cause 1. You don't assign a proper permission to your MI/SP authentication. -1. You may have a customized job to handle files that you don't want, which will affect the data flow's middle output. +1. You might have a customized job to handle files that you don't want, which will affect the data flow's middle output. #### Recommendation 1. Check if your linked service has the R/W/E permission for Gen2. If you use the MI auth/SP authentication, at least grant the Storage Blob Data Contributor role in the Access control (IAM). -1. Confirm if you have specific jobs that move/delete files to other place whose name does not match your rule. Because data flows will write down partition files into the target folder firstly and then do the merge and rename operations, the middle file's name might not match your rule. +1. Confirm if you have specific jobs that move/delete files to other place whose name doesn't match your rule. Because data flows write down partition files into the target folder firstly and then do the merge and rename operations, the middle file's name might not match your rule. ## Azure Database for PostgreSQL ### Encounter an error: Failed with exception: handshake_failure #### Symptoms -You use Azure PostgreSQL as a source or sink in the data flow such as previewing data and debugging/triggering run, and you may find the job fails with following error message: +You use Azure PostgreSQL as a source or sink in the data flow such as previewing data and debugging/triggering run, and you might find the job fails with following error message: `PSQLException: SSL error: Received fatal alert: handshake_failure `
`Caused by: SSLHandshakeException: Received fatal alert: handshake_failure.` #### Cause -If you use the flexible server or Hyperscale (Citus) for your Azure PostgreSQL server, since the system is built via Spark upon Azure Databricks cluster, there is a limitation in Azure Databricks blocks our system to connect to the Flexible server or Hyperscale (Citus). You can review the following two links as references. +If you use the flexible server or Hyperscale (Citus) for your Azure PostgreSQL server, since the system is built via Spark upon Azure Databricks cluster, there's a limitation in Azure Databricks blocks our system to connect to the Flexible server or Hyperscale (Citus). You can review the following two links as references. - [Handshake fails trying to connect from Azure Databricks to Azure PostgreSQL with SSL](/answers/questions/170730/handshake-fails-trying-to-connect-from-azure-datab.html) - [MCW-Real-time-data-with-Azure-Database-for-PostgreSQL-Hyperscale](https://github.com/microsoft/MCW-Real-time-data-with-Azure-Database-for-PostgreSQL-Hyperscale/blob/master/Hands-on%20lab/HOL%20step-by%20step%20-%20Real-time%20data%20with%20Azure%20Database%20for%20PostgreSQL%20Hyperscale.md)
@@ -259,7 +259,7 @@ Your Azure SQL Database can work well in the data copy, dataset preview-data, an #### Cause -There are wrong firewall settings on your Azure SQL Database server, so that it cannot be connected by the data flow runtime. Currently, when you try to use the data flow to read/write Azure SQL Database, Azure Databricks is used to build spark cluster to run the job, but it does not support fixed IP ranges. For more details, please refer to [Azure Integration Runtime IP addresses](./azure-integration-runtime-ip-addresses.md). +There are wrong firewall settings on your Azure SQL Database server, so that it can't be connected by the data flow runtime. Currently, when you try to use the data flow to read/write Azure SQL Database, Azure Databricks is used to build spark cluster to run the job, but it doesn't support fixed IP ranges. For more details, please refer to [Azure Integration Runtime IP addresses](./azure-integration-runtime-ip-addresses.md). #### Recommendation @@ -287,11 +287,11 @@ The query used in the data flow source should be able to run as a sub query. The Provide a correct query and test it in the SSMS firstly. -### Failed with an error: "SQLServerException: 111212; Operation cannot be performed within a transaction." +### Failed with an error: "SQLServerException: 111212; Operation can't be performed within a transaction." #### Symptoms -When you use the Azure SQL Database as a sink in the data flow to preview data, debug/trigger run and do other activities, you may find your job fails with following error message: +When you use the Azure SQL Database as a sink in the data flow to preview data, debug/trigger run and do other activities, you might find your job fails with following error message: `{"StatusCode":"DFExecutorUserError","Message":"Job failed due to reason: at Sink 'sink': shaded.msdataflow.com.microsoft.sqlserver.jdbc.SQLServerException: 111212;Operation cannot be performed within a transaction.","Details":"at Sink 'sink': shaded.msdataflow.com.microsoft.sqlserver.jdbc.SQLServerException: 111212;Operation cannot be performed within a transaction."}` @@ -299,7 +299,7 @@ When you use the Azure SQL Database as a sink in the data flow to preview data, The error "`111212;Operation cannot be performed within a transaction.`" only occurs in the Synapse dedicated SQL pool. But you mistakenly use the Azure SQL Database as the connector instead. #### Recommendation -Confirm if your SQL Database is a Synapse dedicated SQL pool. If so, use Azure Synapse Analytics as a connector shown in the picture below. +Confirm if your SQL Database is a Synapse dedicated SQL pool. If so, use Azure Synapse Analytics as a connector shown in the following image. :::image type="content" source="./media/data-flow-troubleshoot-connector-format/synapse-analytics-connector.png" alt-text="Screenshot that shows the Azure Synapse Analytics connector."::: @@ -307,30 +307,30 @@ Confirm if your SQL Database is a Synapse dedicated SQL pool. If so, use Azure S #### Symptoms -You want to insert data into a table in the SQL database. If the data contains the decimal type and need to be inserted into a column with the decimal type in the SQL database, the data value may be changed to null. +You want to insert data into a table in the SQL database. If the data contains the decimal type and need to be inserted into a column with the decimal type in the SQL database, the data value might be changed to null. -If you do the preview, in previous stages, it will show the value like the following picture: +If you do the preview, in previous stages, it shows the value like the following picture: :::image type="content" source="./media/data-flow-troubleshoot-connector-format/value-in-previous-stage.png" alt-text="Screenshot that shows the value in the previous stages."::: -In the sink stage, it will become null, which is shown in the picture below. +In the sink stage, it becomes null, which is shown in the following image. :::image type="content" source="./media/data-flow-troubleshoot-connector-format/value-in-sink-stage.png" alt-text="Screenshot that shows the value in the sink stage."::: #### Cause -The decimal type has scale and precision properties. If your data type doesn't match that in the sink table, the system will validate that the target decimal is wider than the original decimal, and the original value does not overflow in the target decimal. Therefore, the value will be cast to null. +The decimal type has scale and precision properties. If your data type doesn't match that in the sink table, the system validates that the target decimal is wider than the original decimal, and the original value doesn't overflow in the target decimal. Therefore, the value is cast to null. #### Recommendation Check and compare the decimal type between data and table in the SQL database, and alter the scale and precision to the same. -You can use toDecimal (IDecimal, scale, precision) to figure out if the original data can be cast to the target scale and precision. If it returns null, it means that the data cannot be cast and furthered when inserting. +You can use toDecimal (IDecimal, scale, precision) to figure out if the original data can be cast to the target scale and precision. If it returns null, it means that the data can't be cast and furthered when inserting. ## Azure Synapse Analytics ### Serverless pool (SQL on-demand) related issues #### Symptoms -You use the Azure Synapse Analytics and the linked service actually is a Synapse serverless pool. Its former name is SQL on-demand pool, and it can be distinguished by the server name contains `ondemand`, for example, `space-ondemand.sql.azuresynapse.net`. You may face with several unique failures as below:
+You use the Azure Synapse Analytics and the linked service actually is a Synapse serverless pool. Its former name is SQL on-demand pool, and you can distinguish it by finding the server name that contains `ondemand`, for example, `space-ondemand.sql.azuresynapse.net`. You might face with several unique failures such as these:
1. When you want to use Synapse serverless pool as a Sink, you face the following error:
`Sink results in 0 output columns. Please ensure at least one column is mapped` @@ -339,21 +339,21 @@ You use the Azure Synapse Analytics and the linked service actually is a Synapse 1. When you want to fetch data from an external table, you face the following error: `shaded.msdataflow.com.microsoft.sqlserver.jdbc.SQLServerException: External table 'dbo' is not accessible because location does not exist or it is used by another process.` 1. When you want to fetch data from Azure Cosmos DB through Serverless pool by query/from view, you face the following error: `Job failed due to reason: Connection reset.` -1. When you want to fetch data from a view, you may face with different errors. +1. When you want to fetch data from a view, you might face with different errors. #### Cause -Causes of the symptoms are stated below respectively: -1. Serverless pool cannot be used as a sink. It doesn't support write data into the database. -1. Serverless pool doesn't support staged data loading, so 'enable staging' is not supported. +Causes of the symptoms are stated respectively here: +1. Serverless pool can't be used as a sink. It doesn't support write data into the database. +1. Serverless pool doesn't support staged data loading, so 'enable staging' isn't supported. 1. The authentication method that you use doesn't have a correct permission to the external data source where the external table referring to. -1. There is a known limitation in Synapse serverless pool, blocking you to fetch Azure Cosmos DB data from data flows. +1. There's a known limitation in Synapse serverless pool, blocking you to fetch Azure Cosmos DB data from data flows. 1. View is a virtual table based on an SQL statement. The root cause is inside the statement of the view. #### Recommendation You can apply the following steps to solve your issues correspondingly. 1. You should better not use serverless pool as a sink. -1. Do not use 'enable staging' in Source for serverless pool. +1. Don't use 'enable staging' in Source for serverless pool. 1. Only service principal/managed identity that has the permission to the external table data can query it. Grant 'Storage Blob Data Contributor' permission to the external data source for the authentication method that you use in the ADF. >[!Note] > The user-password authentication can not query external tables. For more information, see [Security model](../synapse-analytics/metadata/database.md#security-model). @@ -365,10 +365,10 @@ You can apply the following steps to solve your issues correspondingly. ### Load small size data to Data Warehouse without staging is slow #### Symptoms -When you load small data to Data Warehouse without staging, it will take a long time to finish. For example, the data size 2 MB but it takes more than 1 hour to finish. +When you load small data to Data Warehouse without staging, it takes a long time to finish. For example, the data size 2 MB but it takes more than 1 hour to finish. #### Cause -This issue is caused by the row count rather than the size. The row count has few thousand, and each insert needs to be packaged into an independent request, go to the control node, start a new transaction, get locks, and go to the distribution node repeatedly. Bulk load gets the lock once, and each distribution node performs the insert by batching into memory efficiently. +The row count rather than the size causes this issue. The row count has few thousand, and each insert needs to be packaged into an independent request, go to the control node, start a new transaction, get locks, and go to the distribution node repeatedly. Bulk load gets the lock once, and each distribution node performs the insert by batching into memory efficiently. If 2 MB is inserted as just a few records, it would be fast. For example, it would be fast if each record is 500 kb * 4 rows. @@ -379,14 +379,14 @@ You need to enable staging to improve the performance. ### Read empty string value ("") as NULL with the enable staging #### Symptoms -When you use Synapse as a source in the data flow such as previewing data and debugging/triggering run and enable staging to use the PolyBase, if your column value contains empty string value (`""`), it will be changed to null. +When you use Synapse as a source in the data flow such as previewing data and debugging/triggering run and enable staging to use the PolyBase, if your column value contains empty string value (`""`), it is changed to null. #### Cause -The data flow back end uses Parquet as the PolyBase format, and there is a known limitation in the Synapse SQL pool gen2, which will automatically change the empty string value to null. +The data flow back end uses Parquet as the PolyBase format, and there's a known limitation in the Synapse SQL pool gen2, which automatically changes the empty string value to null. #### Recommendation You can try to solve this issue by the following methods: -1. If your data size is not huge, you can disable **Enable staging** in the Source, but the performance will be affected. +1. If your data size isn't huge, you can disable **Enable staging** in the Source, but the performance is affected. 1. If you need to enable staging, you can use **iifNull()** function to manually change the specific column from null to empty string value. ### Managed service identity error @@ -400,27 +400,27 @@ When you use the Synapse as a source/sink in the data flow to preview data, debu `shaded.msdataflow.com.microsoft.sqlserver.jdbc.SQLServerException: Managed Service Identity has not been enabled on this server. Please enable Managed Service Identity and try again.` #### Cause -1. If the SQL pool is created from Synapse workspace, MI authentication on staging store with the PolyBase is not supported for the old SQL pool. -1. If the SQL pool is the old Data Warehouse (DWH) version, MI of the SQL server is not assigned to the staging store. +1. If the SQL pool is created from Synapse workspace, MI authentication on staging store with the PolyBase isn't supported for the old SQL pool. +1. If the SQL pool is the old Data Warehouse (DWH) version, MI of the SQL server isn't assigned to the staging store. #### Recommendation Confirm the SQL pool was created from the Azure Synapse workspace. -- If the SQL pool was created from the Azure Synapse workspace, no additional steps are necessary. You no longer need to re-register the Managed Identity (MI) of the workspace. The system assigned managed identity (SA-MI) of the workspace is a member of the Synapse Administrator role and thus has elevated privileges on the dedicated SQL pools of the workspace. -- If the SQL pool is a dedicated SQL pool (formerly SQL DW) pre-dating Azure Synapse, only enable MI for your SQL server and assign the permission of the staging store to the MI of your SQL Server. You can refer to the steps in this article as an example: [Use virtual network service endpoints and rules for servers in Azure SQL Database](/azure/azure-sql/database/vnet-service-endpoint-rule-overview#steps). +- If the SQL pool was created from the Azure Synapse workspace, no extra steps are necessary. You no longer need to re-register the Managed Identity (MI) of the workspace. The system assigned managed identity (SA-MI) of the workspace is a member of the Synapse Administrator role and thus has elevated privileges on the dedicated SQL pools of the workspace. +- If the SQL pool is a dedicated SQL pool (formerly SQL DW) predating Azure Synapse, only enable MI for your SQL server and assign the permission of the staging store to the MI of your SQL Server. You can refer to the steps in this article as an example: [Use virtual network service endpoints and rules for servers in Azure SQL Database](/azure/azure-sql/database/vnet-service-endpoint-rule-overview#steps). ### Failed with an error: "SQLServerException: Not able to validate external location because the remote server returned an error: (403)" #### Symptoms -When you use SQLDW as a sink to trigger and run data flow activities, the activity may fail with error like: `"SQLServerException: Not able to validate external location because the remote server returned an error: (403)"` +When you use SQLDW as a sink to trigger and run data flow activities, the activity might fail with error like: `"SQLServerException: Not able to validate external location because the remote server returned an error: (403)"` #### Cause -1. When you use the managed identity in the authentication method in the ADLS Gen2 account as staging, cx may not set the authentication configuration correctly. -1. With the VNET integration runtime, you need to use the managed identity in the authentication method in the ADLS Gen2 account as staging. If your staging Azure Storage is configured with the VNet service endpoint, you must use managed identity authentication with "allow trusted Microsoft service" enabled on the storage account. +1. When you use the managed identity in the authentication method in the ADLS Gen2 account as staging, you might not set the authentication configuration correctly. +1. With the virtual network integration runtime, you need to use the managed identity in the authentication method in the ADLS Gen2 account as staging. If your staging Azure Storage is configured with the virtual network service endpoint, you must use managed identity authentication with "allow trusted Microsoft service" enabled on the storage account. 1. Check whether your folder name contains the space character or other special characters, for example: `Space " < > # % |`. -Currently folder names that contain certain special characters are not supported in the Data Warehouse copy command. +Currently folder names that contain certain special characters aren't supported in the Data Warehouse copy command. #### Recommendation @@ -428,9 +428,9 @@ For Cause 1, you can refer to the following document: [Use virtual network servi For Cause 2, work around it with one of the following options: -- Option-1: If you use the VNET integration runtime, you need to use the managed identity in the authentication method in the ADLS GEN 2 account as staging. +- Option-1: If you use the virtual network integration runtime, you need to use the managed identity in the authentication method in the ADLS GEN 2 account as staging. -- Option-2: If your staging Azure Storage is configured with the VNet service endpoint, you must use managed identity authentication with "allow trusted Microsoft service" enabled on the storage account. You can refer to this doc: [Staged copy by using PolyBase](./connector-azure-sql-data-warehouse.md#staged-copy-by-using-polybase) for more information. +- Option-2: If your staging Azure Storage is configured with the virtual network service endpoint, you must use managed identity authentication with "allow trusted Microsoft service" enabled on the storage account. You can refer to this doc: [Staged copy by using PolyBase](./connector-azure-sql-data-warehouse.md#staged-copy-by-using-polybase) for more information. For Cause 3, work around it with one of the following options: @@ -439,25 +439,7 @@ For Cause 3, work around it with one of the following options: :::image type="content" source="./media/data-flow-troubleshoot-connector-format/remove-allow-copy-command-true.png" alt-text="Screenshot that shows how to remove 'allowcopycommand:true'."::: - -### Failed with an error: "This operation is not permitted on a non-empty directory" - -#### Symptoms - -When you use Azure Synapse Analytics as a sink in the data flow to preview data, debug/trigger run or do other activities and the enable staging is set to true, your job may fail with the following error message: - -`DF-SYS-01 at Sink 'sink': Unable to stage data before write. Check configuration/credentials of storage.`
-`org.apache.hadoop.fs.azure.AzureException: com.microsoft.azure.storage.StorageException: This operation is not permitted on a non-empty directory.` - -#### Cause -You use the Azure Blob Storage as the staging linked service to link to a storage account that has the enabled hierarchical namespace, and that account uses key authentication in the linked service. - -:::image type="content" source="./media/data-flow-troubleshoot-connector-format/storage-account-configuration.png" alt-text="Screenshot that shows the storage account configuration."::: - -#### Recommendation -Create an Azure Data Lake Gen2 linked service for the storage, and select the Gen2 storage as the staging linked service in data flow activities. - -### Failed with an error: "shaded.msdataflow.com.microsoft.sqlserver.jdbc.SQLServerException: User does not have permission to perform this action." +### Failed with an error: "shaded.msdataflow.com.microsoft.sqlserver.jdbc.SQLServerException: User doesn't have permission to perform this action." #### Symptoms @@ -471,7 +453,7 @@ PolyBase requires certain permissions in your Synapse SQL server to work. #### Recommendation -Grant the permissions below in your Synapse SQL server when you use PolyBase: +Grant these permissions in your Synapse SQL server when you use PolyBase: **ALTER ANY SCHEMA**
**ALTER ANY EXTERNAL DATA SOURCE**
@@ -483,81 +465,81 @@ Grant the permissions below in your Synapse SQL server when you use PolyBase: ### Model.json files with special characters #### Symptoms -You may encounter an issue that the final name of the model.json file contains special characters.   +You might encounter an issue that the final name of the model.json file contains special characters. -#### Error message   -`at Source 'source1': java.lang.IllegalArgumentException: java.net.URISyntaxException: Relative path in absolute URI: PPDFTable1.csv@snapshot=2020-10-21T18:00:36.9469086Z. `  +#### Error message +`at Source 'source1': java.lang.IllegalArgumentException: java.net.URISyntaxException: Relative path in absolute URI: PPDFTable1.csv@snapshot=2020-10-21T18:00:36.9469086Z. ` -#### Recommendation   -Replace the special chars in the file name, which will work in the synapse but not in ADF.   +#### Recommendation +Replace the special chars in the file name, which works in the synapse but not in ADF. -### No data output in the data preview or after running pipelines +### No data output in the data preview or after running pipelines #### Symptoms -When you use the manifest.json for CDM, no data is shown in the data preview or shown after running a pipeline. Only headers are shown. You can see this issue in the picture below.
+When you use the manifest.json for CDM, no data is shown in the data preview or shown after running a pipeline. Only headers are shown. You can see this issue in the picture below.
:::image type="content" source="./media/data-flow-troubleshoot-connector-format/no-data-output.png" alt-text="Screenshot that shows the no data output symptom."::: #### Cause -The manifest document describes the CDM folder, for example, what entities that you have in the folder, references of those entities and the data that corresponds to this instance. Your manifest document misses the `dataPartitions` information that indicates ADF where to read the data, and  since it is empty, it returns zero data.  +The manifest document describes the CDM folder, for example, what entities that you have in the folder, references of those entities and the data that corresponds to this instance. Your manifest document misses the `dataPartitions` information that indicates ADF where to read the data, and since it's empty, it returns zero data. #### Recommendation -Update your manifest document to have the `dataPartitions` information, and you can refer to this example manifest document to update your document: [Common Data Model metadata: Introducing manifest-Example manifest document](/common-data-model/cdm-manifest#example-manifest-document). +Update your manifest document to have the `dataPartitions` information, and you can refer to this example manifest document to update your document: [Common Data Model metadata: Introducing manifest-Example manifest document](/common-data-model/cdm-manifest#example-manifest-document). ### JSON array attributes are inferred as separate columns -#### Symptoms  -You may encounter an issue where one attribute (string type) of the CDM entity has a JSON array as data. When this data is encountered, ADF infers the data as separate columns incorrectly. As you can see from the following pictures, a single attribute presented in the source (msfp_otherproperties) is inferred as a separate column in the CDM connector's preview.
  +#### Symptoms +You might encounter an issue where one attribute (string type) of the CDM entity has a JSON array as data. When this data is encountered, ADF infers the data as separate columns incorrectly. As you can see from the following pictures, a single attribute presented in the source (msfp_otherproperties) is inferred as a separate column in the CDM connector's preview.
- In the CSV source data (refer to the second column):
:::image type="content" source="./media/data-flow-troubleshoot-connector-format/json-array-csv.png" alt-text="Screenshot that shows the attribute in the CSV source data."::: -- In the CDM source data preview: 
+- In the CDM source data preview:
:::image type="content" source="./media/data-flow-troubleshoot-connector-format/json-array-cdm.png" alt-text="Screenshot that shows the separate column in the CDM source data."::: -  -You may also try to map drifted columns and use the data flow expression to transform this attribute as an array. But since this attribute is read as a separate column when reading, transforming to an array does not work.   + +You might also try to map drifted columns and use the data flow expression to transform this attribute as an array. But since this attribute is read as a separate column when reading, transforming to an array does not work. #### Cause -This issue is likely caused by the commas within your JSON object value for that column. Since your data file is expected to be a CSV file, the comma indicates that it is the end of a column's value. +This issue is likely caused by the commas within your JSON object value for that column. Since your data file is expected to be a CSV file, the comma indicates that it's the end of a column's value. #### Recommendation -To solve this problem, you need to double quote your JSON column and avoid any of the inner quotes with a backslash (`\`). In this way, the contents of that column's value can be read in as a single column entirely.   -   +To solve this problem, you need to double quote your JSON column and avoid any of the inner quotes with a backslash (`\`). In this way, the contents of that column's value can be read in as a single column entirely. + >[!Note] ->The CDM doesn't inform that the data type of the column value is JSON, yet it informs that it is a string and parsed as such. +>The CDM doesn't inform that the data type of the column value is JSON, yet it informs that it is a string and parsed as such. ### Unable to fetch data in the data flow preview #### Symptoms -You use CDM with model.json generated by Power BI. When you preview the CDM data using the data flow preview, you encounter an error: `No output data.` +You use CDM with model.json generated by Power BI. When you preview the CDM data using the data flow preview, you encounter an error: `No output data.` #### Cause - The following code exists in the partitions in the model.json file generated by the Power BI data flow. + The following code exists in the partitions in the model.json file generated by the Power BI data flow. ```json -"partitions": [   -{   -"name": "Part001",   -"refreshTime": "2020-10-02T13:26:10.7624605+00:00",   -"location": "https://datalakegen2.dfs.core.windows.net/powerbi/salesEntities/salesPerfByYear.csv @snapshot=2020-10-02T13:26:10.6681248Z"   -}   +"partitions": [ +{ +"name": "Part001", +"refreshTime": "2020-10-02T13:26:10.7624605+00:00", +"location": "https://datalakegen2.dfs.core.windows.net/powerbi/salesEntities/salesPerfByYear.csv @snapshot=2020-10-02T13:26:10.6681248Z" +} ``` -For this model.json file, the issue is the naming schema of the data partition file has special characters, and supporting file paths with '@' do not exist currently.   +For this model.json file, the issue is the naming schema of the data partition file has special characters, and supporting file paths with '@' do not exist currently. #### Recommendation -Remove the `@snapshot=2020-10-02T13:26:10.6681248Z` part from the data partition file name and the model.json file, and then try again. +Remove the `@snapshot=2020-10-02T13:26:10.6681248Z` part from the data partition file name and the model.json file, and then try again. ### The corpus path is null or empty #### Symptoms -When you use CDM in the data flow with the model format, you cannot preview the data, and you encounter the error: `DF-CDM_005 The corpus path is null or empty`. The error is shown in the following picture:   +When you use CDM in the data flow with the model format, you can't preview the data, and you encounter the error: `DF-CDM_005 The corpus path is null or empty`. The error is shown in the following picture: :::image type="content" source="./media/data-flow-troubleshoot-connector-format/corpus-path-error.png" alt-text="Screenshot that shows the corpus path error."::: #### Cause -Your data partition path in the model.json is pointing to a blob storage location and not your data lake. The location should have the base URL of **.dfs.core.windows.net** for the ADLS Gen2.  +Your data partition path in the model.json is pointing to a blob storage location and not your data lake. The location should have the base URL of **.dfs.core.windows.net** for the ADLS Gen2. #### Recommendation To solve this issue, you can refer to this article: [ADF Adds Support for Inline Datasets and Common Data Model to Data Flows](https://techcommunity.microsoft.com/t5/azure-data-factory/adf-adds-support-for-inline-datasets-and-common-data-model-to/ba-p/1441798), and the following picture shows the way to fix the corpus path error in this article. @@ -566,33 +548,33 @@ To solve this issue, you can refer to this article: [ADF Adds Support for Inline ### Unable to read CSV data files -#### Symptoms  -You use the inline dataset as the common data model with manifest as a source, and you have provided the entry manifest file, root path, entity name, and path. In the manifest, you have the data partitions with the CSV file location. Meanwhile, the entity schema and csv schema are identical, and all validations were successful. However, in the data preview, only the schema rather than the data gets loaded and the data is invisible, which is shown in the following picture: +#### Symptoms +You use the inline dataset as the common data model with manifest as a source, and you provided the entry manifest file, root path, entity name, and path. In the manifest, you have the data partitions with the CSV file location. Meanwhile, the entity schema and csv schema are identical, and all validations were successful. However, in the data preview, only the schema rather than the data gets loaded and the data is invisible, which is shown in the following picture: -:::image type="content" source="./media/data-flow-troubleshoot-connector-format/unable-read-data.png" alt-text="Screenshot that shows the issue of unable to read data files."::: +:::image type="content" source="./media/data-flow-troubleshoot-connector-format/unable-read-data.png" alt-text="Screenshot that shows the issue of unable to read data files."::: #### Cause -Your CDM folder is not separated into logical and physical models, and only physical models exist in the CDM folder. The following two articles describe the difference: [Logical definitions](/common-data-model/sdk/logical-definitions) and [Resolving a logical entity definition](/common-data-model/sdk/convert-logical-entities-resolved-entities).
  +Your CDM folder isn't separated into logical and physical models, and only physical models exist in the CDM folder. The following two articles describe the difference: [Logical definitions](/common-data-model/sdk/logical-definitions) and [Resolving a logical entity definition](/common-data-model/sdk/convert-logical-entities-resolved-entities).
#### Recommendation -For the data flow using CDM as a source, try to use a logical model as your entity reference, and use the manifest that describes the location of the physical resolved entities and the data partition locations. You can see some samples of logical entity definitions within the public CDM github repository: [CDM-schemaDocuments](https://github.com/microsoft/CDM/tree/master/schemaDocuments)
+For the data flow using CDM as a source, try to use a logical model as your entity reference, and use the manifest that describes the location of the physical resolved entities and the data partition locations. You can see some samples of logical entity definitions within the public CDM GitHub repository: [CDM-schemaDocuments](https://github.com/microsoft/CDM/tree/master/schemaDocuments)
-A good starting point to forming your corpus is to copy the files within the schema documents folder (just that level inside the github repository), and put those files into a folder. Afterwards, you can use one of the predefined logical entities within the repository (as a starting or reference point) to create your logical model.
+A good starting point to forming your corpus is to copy the files within the schema documents folder (just that level inside the GitHub repository), and put those files into a folder. Afterwards, you can use one of the predefined logical entities within the repository (as a starting or reference point) to create your logical model.
-Once the corpus is set up, you are recommended to use CDM as a sink within data flows, so that a well-formed CDM folder can be properly created. You can use your CSV dataset as a source and then sink it to your CDM model that you created. +Once the corpus is set up, you're recommended to use CDM as a sink within data flows, so that a well-formed CDM folder can be properly created. You can use your CSV dataset as a source and then sink it to your CDM model that you created. ## CSV and Excel format -### Set the quote character to 'no quote char' is not supported in the CSV +### Set the quote character to 'no quote char' isn't supported in the CSV #### Symptoms -There are several issues that are not supported in the CSV when the quote character is set to 'no quote char': +There are several issues that aren't supported in the CSV when the quote character is set to 'no quote char': 1. When the quote character is set to 'no quote char', multi-char column delimiter can't start and end with the same letters. 2. When the quote character is set to 'no quote char', multi-char column delimiter can't contain the escape character: `\`. 3. When the quote character is set to 'no quote char', column value can't contain row delimiter. -4. The quote character and the escape character cannot both be empty (no quote and no escape) if the column value contains a column delimiter. +4. The quote character and the escape character can't both be empty (no quote and no escape) if the column value contains a column delimiter. #### Cause @@ -607,7 +589,7 @@ Causes of the symptoms are stated below with examples respectively: `column delimiter: \x`
`escape char:\`
`column value: "abc\\xdef"`
-The escape character will either escape the column delimiter or the escape the character. +The escape character either escapes the column delimiter or the escape the character. 3. The column value contains the row delimiter.
`We need quote character to tell if row delimiter is inside column value or not.` @@ -618,15 +600,15 @@ The escape character will either escape the column delimiter or the escape the c `It will be ambigious if it contains 3 columns 111,222,33\t3 or 4 columns 111,222,33,3.`
#### Recommendation -The first symptom and the second symptom cannot be solved currently. For the third and fourth symptoms, you can apply the following methods: -- For Symptom 3, do not use the 'no quote char' for a multiline csv file. -- For Symptom 4, set either the quote character or the escape character as non-empty, or you can remove all column delimiters inside your data. +The first symptom and the second symptom can't be solved currently. For the third and fourth symptoms, you can apply the following methods: +- For Symptom 3, don't use the 'no quote char' for a multiline csv file. +- For Symptom 4, set either the quote character or the escape character as nonempty, or you can remove all column delimiters inside your data. ### Read files with different schemas error #### Symptoms -When you use data flows to read files such as CSV and Excel files with different schemas, the data flow debug, sandbox, or activity run will fail. +When you use data flows to read files such as CSV and Excel files with different schemas, the data flow debug, sandbox, or activity run fails. - For CSV, the data misalignment exists when the schema of files is different. :::image type="content" source="./media/data-flow-troubleshoot-connector-format/schema-error-1.png" alt-text="Screenshot that shows the first schema error."::: @@ -637,17 +619,17 @@ When you use data flows to read files such as CSV and Excel files with different #### Cause -Reading files with different schemas in the data flow is not supported. +Reading files with different schemas in the data flow isn't supported. #### Recommendation -If you still want to transfer files such as CSV and Excel files with different schemas in the data flow, you can use the ways below to work around: +If you still want to transfer files such as CSV and Excel files with different schemas in the data flow, you can use these ways to work around: -- For CSV, you need to manually merge the schema of different files to get the full schema. For example, file_1 has columns `c_1`, `c_2`, `c_3` while file_2 has columns `c_3`, `c_4`, ... `c_10`, so the merged and the full schema is `c_1`, `c_2`, ... `c_10`. Then make other files also have the same full schema even though it does not have data, for example, file_*x* only has columns `c_1`, `c_2`, `c_3`, `c_4`, please add columns `c_5`, `c_6`, ... `c_10` in the file to make them consistent with the other files. +- For CSV, you need to manually merge the schema of different files to get the full schema. For example, file_1 has columns `c_1`, `c_2`, `c_3` while file_2 has columns `c_3`, `c_4`, ... `c_10`, so the merged and the full schema is `c_1`, `c_2`, ... `c_10`. Then make other files also have the same full schema even though it doesn't have data, for example, file_*x* only has columns `c_1`, `c_2`, `c_3`, `c_4`, add columns `c_5`, `c_6`, ... `c_10` in the file to make them consistent with the other files. - For Excel, you can solve this issue by applying one of the following options: - - **Option-1**: You need to manually merge the schema of different files to get the full schema. For example, file_1 has columns `c_1`, `c_2`, `c_3` while file_2 has columns `c_3`, `c_4`, ... `c_10`, so the merged and full schema is `c_1`, `c_2`, ... `c_10`. Then make other files also have the same schema even though it does not have data, for example, file_x with sheet "SHEET_1" only has columns `c_1`, `c_2`, `c_3`, `c_4`, please add columns `c_5`, `c_6`, ... `c_10` in the sheet too, and then it can work. + - **Option-1**: You need to manually merge the schema of different files to get the full schema. For example, file_1 has columns `c_1`, `c_2`, `c_3` while file_2 has columns `c_3`, `c_4`, ... `c_10`, so the merged and full schema is `c_1`, `c_2`, ... `c_10`. Then make other files also have the same schema even though it doesn't have data, for example, file_x with sheet "SHEET_1" only has columns `c_1`, `c_2`, `c_3`, `c_4`, please add columns `c_5`, `c_6`, ... `c_10` in the sheet too, and then it can work. - **Option-2**: Use **range (for example, A1:G100) + firstRowAsHeader=false**, and then it can load data from all Excel files even though the column name and count is different. @@ -664,7 +646,7 @@ If you still want to transfer files such as CSV and Excel files with different s #### Symptoms -You encounter the following error when you create the Snowflake linked service in the public network, and you use the auto-resolve integration runtime. +You encounter the following error when you create the Snowflake linked service in the public network, and you use the autoresolve integration runtime. `ERROR [HY000] [Microsoft][Snowflake] (4) REST request for URL https://XXXXXXXX.east-us- 2.azure.snowflakecomputing.com.snowflakecomputing.com:443/session/v1/login-request?requestId=XXXXXXXXXXXXXXXXXXXXXXXXX&request_guid=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX` @@ -672,7 +654,7 @@ You encounter the following error when you create the Snowflake linked service i #### Cause -You have not applied the account name in the format that is given in the Snowflake account document (including additional segments that identify the region and cloud platform), for example, `XXXXXXXX.east-us-2.azure`. You can refer to this document: [Linked service properties](./connector-snowflake.md#linked-service-properties) for more information. +You haven't applied the account name in the format that is given in the Snowflake account document (including extra segments that identify the region and cloud platform), for example, `XXXXXXXX.east-us-2.azure`. You can refer to this document: [Linked service properties](./connector-snowflake.md#linked-service-properties) for more information. #### Recommendation @@ -688,24 +670,24 @@ When you try to use "import projection", "data preview", etc. in the Snowflake s #### Cause -You meet this error because of the wrong configuration. When you use the data flow to read Snowflake data, the runtime Azure Databricks (ADB) is not directly select the query to Snowflake. Instead, a temporary stage are created, and data are pulled from tables to the stage and then compressed and pulled by ADB. This process is shown in the picture below. +You meet this error because of the wrong configuration. When you use the data flow to read Snowflake data, the runtime Azure Databricks (ADB) isn't directly select the query to Snowflake. Instead, a temporary stage are created, and data are pulled from tables to the stage and then compressed and pulled by ADB. This process is shown in the picture below. :::image type="content" source="./media/data-flow-troubleshoot-connector-format/snowflake-data-read-model.png" alt-text=" Screenshot that shows the Snowflake data read model."::: -So the user/role used in ADB should have necessary permission to do this in the Snowflake. But usually the user/role do not have the permission since the database is created on the share. +So the user/role used in ADB should have necessary permission to do this in the Snowflake. But usually the user/role don't have the permission since the database is created on the share. #### Recommendation To solve this issue, you can create different database and create views on the top of the shared DB to access it from ADB. For more details, please refer to [Snowflake](https://community.snowflake.com/s/question/0D50Z000095ktE4SAI/insufficient-privileges-to-operate-on-schema). -### Failed with an error: "SnowflakeSQLException: IP x.x.x.x is not allowed to access Snowflake. Contact your local security administrator" +### Failed with an error: "SnowflakeSQLException: IP x.x.x.x isn't allowed to access Snowflake. Contact your local security administrator" #### Symptoms -When you use snowflake in Azure Data Factory, you can successfully use test-connection in the Snowflake linked service, preview-data/import-schema on Snowflake dataset and run copy/lookup/get-metadata or other activities with it. But when you use Snowflake in the data flow activity, you may meet error like `SnowflakeSQLException: IP 13.66.58.164 is not allowed to access Snowflake. Contact your local security administrator.` +When you use snowflake in Azure Data Factory, you can successfully use test-connection in the Snowflake linked service, preview-data/import-schema on Snowflake dataset and run copy/lookup/get-metadata or other activities with it. But when you use Snowflake in the data flow activity, you might see an error like `SnowflakeSQLException: IP 13.66.58.164 is not allowed to access Snowflake. Contact your local security administrator.` #### Cause -The Azure Data Factory data flow does not support the use of fixed IP ranges. For more information, see [Azure Integration Runtime IP addresses](./azure-integration-runtime-ip-addresses.md). +The Azure Data Factory data flow doesn't support the use of fixed IP ranges. For more information, see [Azure Integration Runtime IP addresses](./azure-integration-runtime-ip-addresses.md). #### Recommendation @@ -719,11 +701,11 @@ To solve this issue, you can change the Snowflake account firewall settings with :::image type="content" source="./media/data-flow-troubleshoot-connector-format/allow-access-with-name.png" alt-text="Screenshot that shows how to allow access from all addresses with the certain name."::: -### Queries in the source does not work +### Queries in the source doesn't work #### Symptoms -When you try to read data from Snowflake with query, you may meet error like: +When you try to read data from Snowflake with query, you might see an error like these: 1. `SQL compilation error: error line 1 at position 7 invalid identifier 'xxx'` 2. `SQL compilation error: Object 'xxx' does not exist or not authorized.` @@ -736,16 +718,16 @@ You encounter this error because of your wrong configuration. For Snowflake, it applies the following rules for storing identifiers at creation/definition time and resolving them in queries and other SQL statements: -When an identifier (table name, schema name, column name, etc.) is unquoted, it is stored and resolved in uppercase by default, and it is case-in-sensitive. For example: +When an identifier (table name, schema name, column name, etc.) is unquoted, it's stored and resolved in uppercase by default, and it's case-in-sensitive. For example: :::image type="content" source="./media/data-flow-troubleshoot-connector-format/unquoted-identifier.png" alt-text="Screenshot that shows the example of unquoted identifier." lightbox="./media/data-flow-troubleshoot-connector-format/unquoted-identifier.png"::: -Because it is case-in-sensitive, so you can feel free to use following query to read snowflake data while the result is the same:
+Because it's case-in-sensitive, so you can feel free to use following query to read snowflake data while the result is the same:
- `Select MovieID, title from Public.TestQuotedTable2`
- `Select movieId, title from Public.TESTQUOTEDTABLE2`
- `Select movieID, TITLE from PUBLIC.TESTQUOTEDTABLE2`
-When an identifier (table name, schema name, column name, etc.) is double-quoted, it is stored and resolved exactly as entered, including case as it is case-sensitive, and you can see an example in the following picture. For more details, please refer to this document: [Identifier Requirements](https://docs.snowflake.com/en/sql-reference/identifiers-syntax.html#identifier-requirements). +When an identifier (table name, schema name, column name, etc.) is double-quoted, it's stored and resolved exactly as entered, including case as it is case-sensitive, and you can see an example in the following picture. For more details, please refer to this document: [Identifier Requirements](https://docs.snowflake.com/en/sql-reference/identifiers-syntax.html#identifier-requirements). :::image type="content" source="./media/data-flow-troubleshoot-connector-format/double-quoted-identifier.png" alt-text="Screenshot that shows the example of double quoted identifier." lightbox="./media/data-flow-troubleshoot-connector-format/double-quoted-identifier.png"::: @@ -763,11 +745,11 @@ If you meet up error with the Snowflake query, check whether some identifiers (t 1. After the SQL query of Snowflake is tested and validated, you can use it in the data flow Snowflake source directly. -### The expression type does not match the column data type, expecting VARIANT but got VARCHAR +### The expression type doesn't match the column data type, expecting VARIANT but got VARCHAR #### Symptoms -When you try to write data into the Snowflake table, you may meet the following error: +When you try to write data into the Snowflake table, you might meet the following error: `java.sql.BatchUpdateException: SQL compilation error: Expression type does not match column data type, expecting VARIANT but got VARCHAR` @@ -775,7 +757,7 @@ When you try to write data into the Snowflake table, you may meet the following The column type of input data is string, which is different from the VARIANT type of the related column in the Snowflake sink. -When you store data with complex schemas (array/map/struct) in a new Snowflake table, the data flow type will be automatically converted into its physical type VARIANT. +When you store data with complex schemas (array/map/struct) in a new Snowflake table, the data flow type is automatically converted into its physical type VARIANT. :::image type="content" source="./media/data-flow-troubleshoot-connector-format/physical-type-variant.png" alt-text="Screenshot that shows the VARIANT type in a table."::: diff --git a/articles/data-factory/media/adf-cdc/change-data-capture-resource-123.png b/articles/data-factory/media/adf-cdc/change-data-capture-resource-123.png index 0bdec5448293d..d2941832410ca 100644 Binary files a/articles/data-factory/media/adf-cdc/change-data-capture-resource-123.png and b/articles/data-factory/media/adf-cdc/change-data-capture-resource-123.png differ diff --git a/articles/data-factory/media/airflow-git-sync-repository/enable-git-sync.png b/articles/data-factory/media/airflow-git-sync-repository/enable-git-sync.png index d570367c0b4cd..0de6a25d30e46 100644 Binary files a/articles/data-factory/media/airflow-git-sync-repository/enable-git-sync.png and b/articles/data-factory/media/airflow-git-sync-repository/enable-git-sync.png differ diff --git a/articles/data-factory/media/airflow-install-private-package/import-requirements-airflow-environment.png b/articles/data-factory/media/airflow-install-private-package/import-requirements-airflow-environment.png index 8efb9b67c5f83..a6c10cefb086a 100644 Binary files a/articles/data-factory/media/airflow-install-private-package/import-requirements-airflow-environment.png and b/articles/data-factory/media/airflow-install-private-package/import-requirements-airflow-environment.png differ diff --git a/articles/data-factory/media/author-visually/repo-settings.png b/articles/data-factory/media/author-visually/repo-settings.png index ca5ba0d7394ea..2828c19ba6b22 100644 Binary files a/articles/data-factory/media/author-visually/repo-settings.png and b/articles/data-factory/media/author-visually/repo-settings.png differ diff --git a/articles/data-factory/media/concepts-workflow-orchestration-manager/architecture.png b/articles/data-factory/media/concepts-workflow-orchestration-manager/architecture.png index fe0300fedfd40..ae067f177aa68 100644 Binary files a/articles/data-factory/media/concepts-workflow-orchestration-manager/architecture.png and b/articles/data-factory/media/concepts-workflow-orchestration-manager/architecture.png differ diff --git a/articles/data-factory/media/copy-data-from-web-table/PowerQuery-Menu.png b/articles/data-factory/media/copy-data-from-web-table/PowerQuery-Menu.png index e9c99771899ec..2a0f56e42c3f7 100644 Binary files a/articles/data-factory/media/copy-data-from-web-table/PowerQuery-Menu.png and b/articles/data-factory/media/copy-data-from-web-table/PowerQuery-Menu.png differ diff --git a/articles/data-factory/media/credentials/create-new-credential.png b/articles/data-factory/media/credentials/create-new-credential.png index 4f0a1ef046226..d4d2ca2340e91 100644 Binary files a/articles/data-factory/media/credentials/create-new-credential.png and b/articles/data-factory/media/credentials/create-new-credential.png differ diff --git a/articles/data-factory/media/credentials/synapse-uami-azure-portal.png b/articles/data-factory/media/credentials/synapse-uami-azure-portal.png index 4f120d2a0b37e..b6bdaf5e39012 100644 Binary files a/articles/data-factory/media/credentials/synapse-uami-azure-portal.png and b/articles/data-factory/media/credentials/synapse-uami-azure-portal.png differ diff --git a/articles/data-factory/media/cross-tenant-connections-to-azure-devops/choose-directory.png b/articles/data-factory/media/cross-tenant-connections-to-azure-devops/choose-directory.png index 6bbdf38a00c6d..7aee9e20fadc3 100644 Binary files a/articles/data-factory/media/cross-tenant-connections-to-azure-devops/choose-directory.png and b/articles/data-factory/media/cross-tenant-connections-to-azure-devops/choose-directory.png differ diff --git a/articles/data-factory/media/cross-tenant-connections-to-azure-devops/cross-tenant-sign-in-confirm.png b/articles/data-factory/media/cross-tenant-connections-to-azure-devops/cross-tenant-sign-in-confirm.png index d49fcc4011886..8c3bc44b25385 100644 Binary files a/articles/data-factory/media/cross-tenant-connections-to-azure-devops/cross-tenant-sign-in-confirm.png and b/articles/data-factory/media/cross-tenant-connections-to-azure-devops/cross-tenant-sign-in-confirm.png differ diff --git a/articles/data-factory/media/cross-tenant-connections-to-azure-devops/cross-tenant-sign-in.png b/articles/data-factory/media/cross-tenant-connections-to-azure-devops/cross-tenant-sign-in.png index 8bc2328a6709d..d7a0874b8f130 100644 Binary files a/articles/data-factory/media/cross-tenant-connections-to-azure-devops/cross-tenant-sign-in.png and b/articles/data-factory/media/cross-tenant-connections-to-azure-devops/cross-tenant-sign-in.png differ diff --git a/articles/data-factory/media/data-factory-service-identity/system-managed-identity-in-portal-synapse.png b/articles/data-factory/media/data-factory-service-identity/system-managed-identity-in-portal-synapse.png index ea37247489416..5718024229606 100644 Binary files a/articles/data-factory/media/data-factory-service-identity/system-managed-identity-in-portal-synapse.png and b/articles/data-factory/media/data-factory-service-identity/system-managed-identity-in-portal-synapse.png differ diff --git a/articles/data-factory/media/data-flow-create/open-synapse-studio-from-portal.png b/articles/data-factory/media/data-flow-create/open-synapse-studio-from-portal.png index 4397f5af49cae..4ea7df26a3762 100644 Binary files a/articles/data-factory/media/data-flow-create/open-synapse-studio-from-portal.png and b/articles/data-factory/media/data-flow-create/open-synapse-studio-from-portal.png differ diff --git a/articles/data-factory/media/data-flow-troubleshoot-connector-format/storage-account-configuration.png b/articles/data-factory/media/data-flow-troubleshoot-connector-format/storage-account-configuration.png deleted file mode 100644 index bac9612ace8be..0000000000000 Binary files a/articles/data-factory/media/data-flow-troubleshoot-connector-format/storage-account-configuration.png and /dev/null differ diff --git a/articles/data-factory/media/enable-azure-key-vault/airflow-configuration-overrides.png b/articles/data-factory/media/enable-azure-key-vault/airflow-configuration-overrides.png index 1aff1ea2bc19a..a4cf6a6e4ab8f 100644 Binary files a/articles/data-factory/media/enable-azure-key-vault/airflow-configuration-overrides.png and b/articles/data-factory/media/enable-azure-key-vault/airflow-configuration-overrides.png differ diff --git a/articles/data-factory/media/enable-azure-key-vault/airflow-environment-setup.png b/articles/data-factory/media/enable-azure-key-vault/airflow-environment-setup.png index 1415cacb92908..2f326bf794fca 100644 Binary files a/articles/data-factory/media/enable-azure-key-vault/airflow-environment-setup.png and b/articles/data-factory/media/enable-azure-key-vault/airflow-environment-setup.png differ diff --git a/articles/data-factory/media/enable-azure-key-vault/environment-variables.png b/articles/data-factory/media/enable-azure-key-vault/environment-variables.png index fc1c9c50ceef2..89b0f46395513 100644 Binary files a/articles/data-factory/media/enable-azure-key-vault/environment-variables.png and b/articles/data-factory/media/enable-azure-key-vault/environment-variables.png differ diff --git a/articles/data-factory/media/enable-customer-managed-key/encryption-customer-managed-keys-diagram.png b/articles/data-factory/media/enable-customer-managed-key/encryption-customer-managed-keys-diagram.png index 0eba45ea7ba42..5661ab785e202 100644 Binary files a/articles/data-factory/media/enable-customer-managed-key/encryption-customer-managed-keys-diagram.png and b/articles/data-factory/media/enable-customer-managed-key/encryption-customer-managed-keys-diagram.png differ diff --git a/articles/data-factory/media/how-does-workflow-orchestration-manager-work/airflow-environment-details.png b/articles/data-factory/media/how-does-workflow-orchestration-manager-work/airflow-environment-details.png index fc331f0d1f588..a3026ea181c3e 100644 Binary files a/articles/data-factory/media/how-does-workflow-orchestration-manager-work/airflow-environment-details.png and b/articles/data-factory/media/how-does-workflow-orchestration-manager-work/airflow-environment-details.png differ diff --git a/articles/data-factory/media/how-does-workflow-orchestration-manager-work/create-new-airflow.png b/articles/data-factory/media/how-does-workflow-orchestration-manager-work/create-new-airflow.png index 72b668c95eac8..54fc0205f7674 100644 Binary files a/articles/data-factory/media/how-does-workflow-orchestration-manager-work/create-new-airflow.png and b/articles/data-factory/media/how-does-workflow-orchestration-manager-work/create-new-airflow.png differ diff --git a/articles/data-factory/media/kubernetes-secret-pull-image-from-private-container-registry/add-kubernetes-secret.png b/articles/data-factory/media/kubernetes-secret-pull-image-from-private-container-registry/add-kubernetes-secret.png index 613be28c9750d..fbd5b6a58cc62 100644 Binary files a/articles/data-factory/media/kubernetes-secret-pull-image-from-private-container-registry/add-kubernetes-secret.png and b/articles/data-factory/media/kubernetes-secret-pull-image-from-private-container-registry/add-kubernetes-secret.png differ diff --git a/articles/data-factory/media/monitor-using-azure-monitor/alerts.png b/articles/data-factory/media/monitor-using-azure-monitor/alerts.png new file mode 100644 index 0000000000000..b9406b2aeffe9 Binary files /dev/null and b/articles/data-factory/media/monitor-using-azure-monitor/alerts.png differ diff --git a/articles/data-factory/media/monitor-using-azure-monitor/alerts_image10.png b/articles/data-factory/media/monitor-using-azure-monitor/alerts_image10.png deleted file mode 100644 index 35d7b81ecba88..0000000000000 Binary files a/articles/data-factory/media/monitor-using-azure-monitor/alerts_image10.png and /dev/null differ diff --git a/articles/data-factory/media/monitor-using-azure-monitor/alerts_image11.png b/articles/data-factory/media/monitor-using-azure-monitor/alerts_image11.png deleted file mode 100644 index ed2220406bd31..0000000000000 Binary files a/articles/data-factory/media/monitor-using-azure-monitor/alerts_image11.png and /dev/null differ diff --git a/articles/data-factory/media/monitor-using-azure-monitor/alerts_image12.png b/articles/data-factory/media/monitor-using-azure-monitor/alerts_image12.png deleted file mode 100644 index abea44bddd0b2..0000000000000 Binary files a/articles/data-factory/media/monitor-using-azure-monitor/alerts_image12.png and /dev/null differ diff --git a/articles/data-factory/media/monitor-using-azure-monitor/alerts_image3.png b/articles/data-factory/media/monitor-using-azure-monitor/alerts_image3.png deleted file mode 100644 index 406800688bd89..0000000000000 Binary files a/articles/data-factory/media/monitor-using-azure-monitor/alerts_image3.png and /dev/null differ diff --git a/articles/data-factory/media/monitor-using-azure-monitor/alerts_image4.png b/articles/data-factory/media/monitor-using-azure-monitor/alerts_image4.png deleted file mode 100644 index 97c84b8a93f21..0000000000000 Binary files a/articles/data-factory/media/monitor-using-azure-monitor/alerts_image4.png and /dev/null differ diff --git a/articles/data-factory/media/monitor-using-azure-monitor/alerts_image5.png b/articles/data-factory/media/monitor-using-azure-monitor/alerts_image5.png deleted file mode 100644 index 651cf9e49ba99..0000000000000 Binary files a/articles/data-factory/media/monitor-using-azure-monitor/alerts_image5.png and /dev/null differ diff --git a/articles/data-factory/media/monitor-using-azure-monitor/alerts_image6.png b/articles/data-factory/media/monitor-using-azure-monitor/alerts_image6.png deleted file mode 100644 index b4b93c2941abe..0000000000000 Binary files a/articles/data-factory/media/monitor-using-azure-monitor/alerts_image6.png and /dev/null differ diff --git a/articles/data-factory/media/monitor-using-azure-monitor/alerts_image7.png b/articles/data-factory/media/monitor-using-azure-monitor/alerts_image7.png deleted file mode 100644 index 384b21320c2a6..0000000000000 Binary files a/articles/data-factory/media/monitor-using-azure-monitor/alerts_image7.png and /dev/null differ diff --git a/articles/data-factory/media/monitor-using-azure-monitor/alerts_image8.png b/articles/data-factory/media/monitor-using-azure-monitor/alerts_image8.png deleted file mode 100644 index 28494c013bec0..0000000000000 Binary files a/articles/data-factory/media/monitor-using-azure-monitor/alerts_image8.png and /dev/null differ diff --git a/articles/data-factory/media/monitor-using-azure-monitor/alerts_image9.png b/articles/data-factory/media/monitor-using-azure-monitor/alerts_image9.png deleted file mode 100644 index ac63adc6f5645..0000000000000 Binary files a/articles/data-factory/media/monitor-using-azure-monitor/alerts_image9.png and /dev/null differ diff --git a/articles/data-factory/media/monitor-using-azure-monitor/create-action-group.png b/articles/data-factory/media/monitor-using-azure-monitor/create-action-group.png new file mode 100644 index 0000000000000..ca31e354bf1e9 Binary files /dev/null and b/articles/data-factory/media/monitor-using-azure-monitor/create-action-group.png differ diff --git a/articles/data-factory/media/monitor-using-azure-monitor/create-actions.png b/articles/data-factory/media/monitor-using-azure-monitor/create-actions.png new file mode 100644 index 0000000000000..7d62e5c08263c Binary files /dev/null and b/articles/data-factory/media/monitor-using-azure-monitor/create-actions.png differ diff --git a/articles/data-factory/media/monitor-using-azure-monitor/create-alert-rule.png b/articles/data-factory/media/monitor-using-azure-monitor/create-alert-rule.png new file mode 100644 index 0000000000000..c9f06774f09b6 Binary files /dev/null and b/articles/data-factory/media/monitor-using-azure-monitor/create-alert-rule.png differ diff --git a/articles/data-factory/media/monitor-using-azure-monitor/define-actions.png b/articles/data-factory/media/monitor-using-azure-monitor/define-actions.png new file mode 100644 index 0000000000000..6b70e5688159a Binary files /dev/null and b/articles/data-factory/media/monitor-using-azure-monitor/define-actions.png differ diff --git a/articles/data-factory/media/monitor-using-azure-monitor/monitor.png b/articles/data-factory/media/monitor-using-azure-monitor/monitor.png new file mode 100644 index 0000000000000..647575ef0f39e Binary files /dev/null and b/articles/data-factory/media/monitor-using-azure-monitor/monitor.png differ diff --git a/articles/data-factory/media/monitor-using-azure-monitor/review-create-action-group.png b/articles/data-factory/media/monitor-using-azure-monitor/review-create-action-group.png new file mode 100644 index 0000000000000..bf85050bf0054 Binary files /dev/null and b/articles/data-factory/media/monitor-using-azure-monitor/review-create-action-group.png differ diff --git a/articles/data-factory/media/monitor-using-azure-monitor/select-condition.png b/articles/data-factory/media/monitor-using-azure-monitor/select-condition.png new file mode 100644 index 0000000000000..c208a8d10b323 Binary files /dev/null and b/articles/data-factory/media/monitor-using-azure-monitor/select-condition.png differ diff --git a/articles/data-factory/media/monitor-using-azure-monitor/select-scope.png b/articles/data-factory/media/monitor-using-azure-monitor/select-scope.png new file mode 100644 index 0000000000000..5bff990e1bd1e Binary files /dev/null and b/articles/data-factory/media/monitor-using-azure-monitor/select-scope.png differ diff --git a/articles/data-factory/media/quickstart-create-data-factory-bicep/data-factory-bicep-upload-blob-file.png b/articles/data-factory/media/quickstart-create-data-factory-bicep/data-factory-bicep-upload-blob-file.png index b95f0a665a383..c6a4ec6150a4f 100644 Binary files a/articles/data-factory/media/quickstart-create-data-factory-bicep/data-factory-bicep-upload-blob-file.png and b/articles/data-factory/media/quickstart-create-data-factory-bicep/data-factory-bicep-upload-blob-file.png differ diff --git a/articles/data-factory/media/quickstart-create-data-factory-resource-manager-template/data-factory-arm-template-upload-blob-file.png b/articles/data-factory/media/quickstart-create-data-factory-resource-manager-template/data-factory-arm-template-upload-blob-file.png index 95d852d14d923..61f6f517ed2fc 100644 Binary files a/articles/data-factory/media/quickstart-create-data-factory-resource-manager-template/data-factory-arm-template-upload-blob-file.png and b/articles/data-factory/media/quickstart-create-data-factory-resource-manager-template/data-factory-arm-template-upload-blob-file.png differ diff --git a/articles/data-factory/media/quota-increase/help-plus-support.png b/articles/data-factory/media/quota-increase/help-plus-support.png index 49b301e0f0a7b..c97d07f571b45 100644 Binary files a/articles/data-factory/media/quota-increase/help-plus-support.png and b/articles/data-factory/media/quota-increase/help-plus-support.png differ diff --git a/articles/data-factory/media/self-hosted-integration-runtime-troubleshoot-guide/enable-public-network-access-synapse.png b/articles/data-factory/media/self-hosted-integration-runtime-troubleshoot-guide/enable-public-network-access-synapse.png index 503826d80ea4b..c69a6be529044 100644 Binary files a/articles/data-factory/media/self-hosted-integration-runtime-troubleshoot-guide/enable-public-network-access-synapse.png and b/articles/data-factory/media/self-hosted-integration-runtime-troubleshoot-guide/enable-public-network-access-synapse.png differ diff --git a/articles/data-factory/media/tutorial-hybrid-copy-powershell/from-on-premises-file.png b/articles/data-factory/media/tutorial-hybrid-copy-powershell/from-on-premises-file.png new file mode 100644 index 0000000000000..ccba75f63facb Binary files /dev/null and b/articles/data-factory/media/tutorial-hybrid-copy-powershell/from-on-premises-file.png differ diff --git a/articles/data-factory/media/tutorial-hybrid-copy-powershell/fromonprem-file.png b/articles/data-factory/media/tutorial-hybrid-copy-powershell/fromonprem-file.png deleted file mode 100644 index 80866a824492d..0000000000000 Binary files a/articles/data-factory/media/tutorial-hybrid-copy-powershell/fromonprem-file.png and /dev/null differ diff --git a/articles/data-factory/media/tutorial-incremental-copy-change-tracking-feature-portal/full-copy-output-file.png b/articles/data-factory/media/tutorial-incremental-copy-change-tracking-feature-portal/full-copy-output-file.png index 7aa33ecc02a50..93c1016b0d231 100644 Binary files a/articles/data-factory/media/tutorial-incremental-copy-change-tracking-feature-portal/full-copy-output-file.png and b/articles/data-factory/media/tutorial-incremental-copy-change-tracking-feature-portal/full-copy-output-file.png differ diff --git a/articles/data-factory/media/tutorial-incremental-copy-change-tracking-feature-portal/incremental-copy-output-file.png b/articles/data-factory/media/tutorial-incremental-copy-change-tracking-feature-portal/incremental-copy-output-file.png index fffcf207f2565..a5a647352f0f8 100644 Binary files a/articles/data-factory/media/tutorial-incremental-copy-change-tracking-feature-portal/incremental-copy-output-file.png and b/articles/data-factory/media/tutorial-incremental-copy-change-tracking-feature-portal/incremental-copy-output-file.png differ diff --git a/articles/data-factory/monitor-metrics-alerts.md b/articles/data-factory/monitor-metrics-alerts.md index d4f4050bcdea0..1532b98eb9211 100644 --- a/articles/data-factory/monitor-metrics-alerts.md +++ b/articles/data-factory/monitor-metrics-alerts.md @@ -1,13 +1,13 @@ --- title: Data Factory metrics and alerts -description: Learn about metrics available for monitoring Azure Data Factory. +description: This article shows you how to create monitoring alerts for metrics available for Azure Data Factory. author: nabhishek ms.author: abnarain ms.reviewer: jburchel ms.service: data-factory ms.subservice: monitoring ms.topic: conceptual -ms.date: 10/20/2023 +ms.date: 03/18/2024 --- # Data Factory metrics and alerts @@ -44,15 +44,15 @@ Here are some of the metrics emitted by Azure Data Factory version 2. | PipelineElapsedTimeRuns | Elapsed time pipeline runs metrics | Count | Total | Number of times, within a minute window, a pipeline runs longer than user-defined expected duration. [(See more.)](tutorial-operationalize-pipelines.md) | | IntegrationRuntimeAvailableMemory | Available memory for integration runtime | Byte | Total | The total number of bytes of available memory for the self-hosted integration runtime within a minute window. | | IntegrationRuntimeAvailableNodeNumber | Available nodes for integration runtime | Count | Total | The total number of nodes available for the self-hosted integration runtime within a minute window. | -| IntegrationRuntimeCpuPercentage | CPU utilization for integration runtime | Percent | Total | The percetange of CPU utilization for the self-hosted integration runtime within a minute window. | +| IntegrationRuntimeCpuPercentage | CPU utilization for integration runtime | Percent | Total | The percentage of CPU utilization for the self-hosted integration runtime within a minute window. | | IntegrationRuntimeAverageTaskPickupDelay | Queue duration for integration runtime | Seconds | Total | The queue duration for the self-hosted integration runtime within a minute window. | | IntegrationRuntimeQueueLength | Queue length for integration runtime | Count | Total | The total queue length for the self-hosted integration runtime within a minute window. | -| Maximum allowed entities count | Maxixum number of entities | Count | Total | The maximum number of entities in the Azure Data Factory instance. | +| Maximum allowed entities count | Maximum number of entities | Count | Total | The maximum number of entities in the Azure Data Factory instance. | | Maximum allowed factory size (GB unit) | Maximum size of entities | Gigabyte | Total | The maximum size of entities in the Azure Data Factory instance. | | Total entities count | Total number of entities | Count | Total | The total number of entities in the Azure Data Factory instance. | | Total factory size (GB unit) | Total size of entities | Gigabyte | Total | The total size of entities in the Azure Data Factory instance. | -For service limits and quotas please see [quotas and limits](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-data-factory-limits). +For service limits and quotas, see [quotas and limits](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-data-factory-limits). To access the metrics, complete the instructions in [Azure Monitor data platform](../azure-monitor/data-platform.md). > [!NOTE] @@ -60,43 +60,42 @@ To access the metrics, complete the instructions in [Azure Monitor data platform ## Data Factory alerts -Sign in to the Azure portal, and select **Monitor** > **Alerts** to create alerts. +Sign in to the Azure portal, and use the main menu at the top left of the screen to select **Monitor**, and then **Alerts** to create alerts. -:::image type="content" source="media/monitor-using-azure-monitor/alerts_image3.png" alt-text="Screenshot that shows alerts in the portal menu."::: +:::image type="content" source="media/monitor-using-azure-monitor/monitor.png" alt-text="Screenshot that shows the Monitoring tab in the Azure portal menu."::: -### Create alerts - -1. Select **+ New Alert Rule** to create a new alert. - - :::image type="content" source="media/monitor-using-azure-monitor/alerts_image4.png" lightbox="media/monitor-using-azure-monitor/alerts_image4.png" alt-text="Screenshot that shows creating a new alert rule."::: +:::image type="content" source="media/monitor-using-azure-monitor/alerts.png" alt-text="Screenshot showing the Alerts section in the Monitor page for Azure."::: -1. Define the alert condition. +### Create alerts - > [!NOTE] - > Make sure to select **All** in the **Filter by resource type** dropdown list. +1. Select **+ Create** and **Alert rule** to create a new alert. - :::image type="content" source="media/monitor-using-azure-monitor/alerts_image5.png" alt-text="Screenshot that shows the selections for opening the pane for choosing a resource."::: + :::image type="content" source="media/monitor-using-azure-monitor/create-alert-rule.png" alt-text="Screenshot that shows where to create a new alert rule."::: - :::image type="content" source="media/monitor-using-azure-monitor/alerts_image6.png" lightbox="media/monitor-using-azure-monitor/alerts_image6.png" alt-text="Screenshot that shows the selections for opening the pane for configuring signal logic."::: +1. Select the **Scope** and browse to find the data factory instance you want to create the alert for. - :::image type="content" source="media/monitor-using-azure-monitor/alerts_image7.png" lightbox="media/monitor-using-azure-monitor/alerts_image7.png" alt-text="Screenshot that shows configuring the signal logic."::: + :::image type="content" source="media/monitor-using-azure-monitor/select-scope.png" alt-text="Screenshot showing where to select the scope for a new alert rule."::: -1. Define the alert details. +1. Next, select the **Condition** tab and define the alert condition, then select **Next: Actions**. - :::image type="content" source="media/monitor-using-azure-monitor/alerts_image8.png" lightbox="media/monitor-using-azure-monitor/alerts_image8.png" alt-text="Screenshot that shows alert details."::: + :::image type="content" source="media/monitor-using-azure-monitor/select-condition.png" alt-text="Screenshot that shows the definition of the alert condition."::: -1. Define the action group. +1. On the **Basics** tab, select an existing action group or create a new one. > [!NOTE] > The action group must be created within the same resource group as the data factory instance in order to be available for use from the data factory. - :::image type="content" source="media/monitor-using-azure-monitor/alerts_image9.png" alt-text="Screenshot that shows creating a rule, with New action group highlighted."::: + :::image type="content" source="media/monitor-using-azure-monitor/create-actions.png" alt-text="Screenshot that shows where to select or create an action group for the alert."::: + + :::image type="content" source="media/monitor-using-azure-monitor/create-action-group.png" alt-text="Screenshot showing where the Create action group screen."::: + +1. You can define email or SMS notifications if you need, on the **Notfications** tab, but this step is optional. To define actions within the action group, select the **Actions** tab and configure any of the **Action type** options you need. This step is also optional. Once you're done configuring notifications or actions for the action group, select **Review + create**. - :::image type="content" source="media/monitor-using-azure-monitor/alerts_image10.png" alt-text="Screenshot that shows creating a new action group."::: + :::image type="content" source="media/monitor-using-azure-monitor/define-actions.png" alt-text="Screenshot showing where to define actions for your action group."::: - :::image type="content" source="media/monitor-using-azure-monitor/alerts_image11.png" alt-text="Screenshot that shows configuring email, SMS, push, and voice."::: +1. On the **Review + create** tab, review your action group definition and select **Create** to finish. - :::image type="content" source="media/monitor-using-azure-monitor/alerts_image12.png" lightbox="media/monitor-using-azure-monitor/alerts_image12.png" alt-text="Screenshot that shows defining an action group."::: + :::image type="content" source="media/monitor-using-azure-monitor/review-create-action-group.png" alt-text="Screenshot showing the Review + create tab for the newly created action group."::: ## Related content diff --git a/articles/data-factory/source-control.md b/articles/data-factory/source-control.md index 3d20e817f86fb..70e8261732ff0 100644 --- a/articles/data-factory/source-control.md +++ b/articles/data-factory/source-control.md @@ -1,12 +1,12 @@ --- title: Source control -description: Learn how to configure source control in Azure Data Factory +description: Learn how to configure source control in Azure Data Factory. ms.service: data-factory ms.subservice: ci-cd author: nabhishek ms.author: abnarain ms.topic: conceptual -ms.date: 11/06/2023 +ms.date: 03/19/2024 --- # Source control in Azure Data Factory @@ -16,7 +16,7 @@ By default, the Azure Data Factory user interface experience (UX) authors direct - The Data Factory service doesn't include a repository for storing the JSON entities for your changes. The only way to save changes is via the **Publish All** button and all changes are published directly to the data factory service. - The Data Factory service isn't optimized for collaboration and version control. -- The Azure Resource Manager template required to deploy Data Factory itself is not included. +- The Azure Resource Manager template required to deploy Data Factory itself isn't included. To provide a better authoring experience, Azure Data Factory allows you to configure a Git repository with either Azure Repos or GitHub. Git is a version control system that allows for easier change tracking and collaboration. This article outlines how to configure and work in a git repository along with highlighting best practices and a troubleshooting guide. @@ -33,12 +33,12 @@ To learn more about how Azure Data Factory integrates with Git, view the 15-minu Below is a list of some of the advantages git integration provides to the authoring experience: -- **Source control:** As your data factory workloads become crucial, you would want to integrate your factory with Git to leverage several source control benefits like the following: +- **Source control:** As your data factory workloads become crucial, you would want to integrate your factory with Git to apply several source control benefits like the following: - Ability to track/audit changes. - Ability to revert changes that introduced bugs. -- **Partial saves:** When authoring against the data factory service, you can't save changes as a draft and all publishes must pass data factory validation. Whether your pipelines are not finished or you simply don't want to lose changes if your computer crashes, git integration allows for incremental changes of data factory resources regardless of what state they are in. Configuring a git repository allows you to save changes, letting you only publish when you have tested your changes to your satisfaction. +- **Partial saves:** When authoring against the data factory service, you can't save changes as a draft, and all publishes must pass data factory validation. Whether your pipelines aren't finished or you simply don't want to lose changes if your computer crashes, git integration allows for incremental changes of data factory resources regardless of what state they are in. Configuring a git repository allows you to save changes, letting you only publish after you test your changes to your satisfaction. - **Collaboration and control:** If you have multiple team members contributing to the same factory, you might want to let your teammates collaborate with each other via a code review process. You can also set up your factory such that not every contributor has equal permissions. Some team members might only be allowed to make changes via Git and only certain people in the team are allowed to publish the changes to the factory. -- **Better CI/CD:** If you are deploying to multiple environments with a [continuous delivery process](continuous-integration-delivery.md), git integration makes certain actions easier. Some of these actions include: +- **Better CI/CD:** If you're deploying to multiple environments with a [continuous delivery process](continuous-integration-delivery.md), git integration makes certain actions easier. Some of these actions include: - Configure your release pipeline to trigger automatically as soon as there are any changes made to your 'dev' factory. - Customize the properties in your factory that are available as parameters in the Resource Manager template. It can be useful to keep only the required set of properties as parameters, and have everything else hard-coded. - **Better Performance:** An average factory with git integration loads 10 times faster than one authoring against the data factory service. This performance improvement is because resources are downloaded via Git. @@ -48,7 +48,7 @@ Below is a list of some of the advantages git integration provides to the author ## Connect to a Git repository -There are four different ways to connect a Git repository to your data factory for both Azure Repos and GitHub. After you connect to a Git repository, you can view and manage your configuration in the [management hub](author-management-hub.md) under **Git configuration** in the **Source control** section +There are four different ways to connect a Git repository to your data factory for both Azure Repos and GitHub. After you connect to a Git repository, you can view and manage your configuration in the [management hub](author-management-hub.md) under **Git configuration** in the **Source control** section. ### Configuration method 1: Home page @@ -64,7 +64,7 @@ In the Azure Data Factory UX authoring canvas, select the **Data Factory** drop- ### Configuration method 3: Management hub -Go to the management hub in the ADF UX. Select **Git configuration** in the **Source control** section. If you have no repository connected, click **Configure**. +Go to the management hub in the Azure Data Factory Studio. Select **Git configuration** in the **Source control** section. If you have no repository connected, select **Configure**. :::image type="content" source="media/author-visually/configure-repo-3.png" alt-text="Configure the code repository settings from management hub"::: @@ -81,16 +81,14 @@ When creating a new data factory in the Azure portal, you can configure Git repo Visual authoring with Azure Repos Git integration supports source control and collaboration for work on your data factory pipelines. You can associate a data factory with an Azure Repos Git organization repository for source control, collaboration, versioning, and so on. A single Azure Repos Git organization can have multiple repositories, but an Azure Repos Git repository can be associated with only one data factory. If you don't have an Azure Repos organization or repository, follow [these instructions](/azure/devops/organizations/accounts/create-organization?view=azure-devops&preserve-view=true) to create your resources. - - > [!NOTE] > You can store script and data files in an Azure Repos Git repository. However, you have to upload the files manually to Azure Storage. A data factory pipeline doesn't automatically upload script or data files stored in an Azure Repos Git repository to Azure Storage. Additional files such as ARM templates, scripts, or configuration files, can be stored in the repository outside of the mapped folder. If you do this, keep in mind that an additional task is required to build/deploy and interact with the files stored outside of the mapped Azure DevOps folder. ### Azure Repos settings -:::image type="content" source="media/author-visually/repo-settings.png" alt-text="Configure the code repository settings."::: +:::image type="content" source="media/author-visually/repo-settings.png" alt-text="Screenshot showing the Configure a repository settings."::: -The configuration pane shows the following Azure Repos code repository settings: +The configuration pane walks you step-by-step through configuring each of the following code repository settings: | Setting | Description | Value | |:--- |:--- |:--- | @@ -123,7 +121,7 @@ You can update your publish branch and decide whether or not to disable the publ ### Use a different Microsoft Entra tenant -The Azure Repos Git repo can be in a different Microsoft Entra tenant. To specify a different Microsoft Entra tenant, you have to have administrator permissions for the Azure subscription that you're using. For more info, see [change subscription administrator](../cost-management-billing/manage/add-change-subscription-administrator.md#to-assign-a-user-as-an-administrator) +The Azure Repos Git repo can be in a different Microsoft Entra tenant. To specify a different Microsoft Entra tenant, you have to have administrator permissions for the Azure subscription that you're using. For more info, see [change subscription administrator](../cost-management-billing/manage/add-change-subscription-administrator.md#to-assign-a-user-as-an-administrator). > [!IMPORTANT] > To connect to another Microsoft Entra ID, the user logged in must be a part of that active directory. @@ -134,7 +132,7 @@ To use a personal Microsoft account for Git integration, you can link your perso 1. Add your personal Microsoft account to your organization's Active Directory as a guest. For more info, see [Add Microsoft Entra B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md). -2. Log in to the Azure portal with your personal Microsoft account. Then switch to your organization's Active Directory. +2. Sign in to the Azure portal with your personal Microsoft account. Then switch to your organization's Active Directory. 3. Go to the Azure DevOps section, where you now see your personal repo. Select the repo and connect with Active Directory. @@ -144,11 +142,11 @@ For more info about connecting Azure Repos to your organization's Active Directo ## Author with GitHub integration -Visual authoring with GitHub integration supports source control and collaboration for work on your data factory pipelines. You can associate a data factory with a GitHub account repository for source control, collaboration, versioning. A single GitHub account can have multiple repositories, but a GitHub repository can be associated with only one data factory. If you don't have a GitHub account or repository, follow [these instructions](https://github.com/join) to create your resources. +Visual authoring with GitHub integration supports source control and collaboration for work on your data factory pipelines. You can associate a data factory with a GitHub account repository for source control, collaboration, versioning. A single GitHub account can have multiple repositories, but a GitHub repository can be associated with only one data factory. If you don't have a GitHub account or repository, follow [these instructions](https://github.com/join) to create your resources. The GitHub integration with Data Factory supports both public GitHub (that is, [https://github.com](https://github.com)), GitHub Enterprise Cloud and GitHub Enterprise Server. You can use both public and private GitHub repositories with Data Factory as long you have read and write permission to the repository in GitHub. To connect with a public repository, select the **Use Link Repository option**, as they aren't visible in the dropdown menu of **Repository name**. ADF’s GitHub enterprise server integration only works with [officially supported versions of GitHub enterprise server.](https://docs.github.com/en/enterprise-server@3.1/admin/all-releases) -For repositories owned by GitHub organization account, the admin has to authorize the ADF app. For repositories owned by GitHub user account, a user with at least collaborator permission can authorize ADF app. This doesn't give ADF app direct access to all the repositories owned by the account/organization, it only allows the ADF app to act on-behalf of the user to access repositories based on user's access permissions. +For repositories owned by GitHub organization account, the admin has to authorize the ADF app. For repositories owned by GitHub user account, a user with at least collaborator permission can authorize ADF app. This permission doesn't give ADF app direct access to all the repositories owned by the account/organization, it only allows the ADF app to act on-behalf of the user to access repositories based on user's access permissions. > [!NOTE] > If you are using Microsoft Edge, GitHub Enterprise version less than 2.1.4 does not work with it. GitHub officially supports >=3.0 and these all should be fine for ADF. As GitHub changes its minimum version, ADF supported versions also change. @@ -196,14 +194,14 @@ Connecting to a GitHub organization requires the organization to grant permissio If you're connecting to public GitHub or GitHub Enterprise Cloud from Azure Data Factory for the first time, follow these steps to connect to a GitHub organization. 1. In the Git configuration pane, enter the organization name in the *GitHub Account* field. A prompt to log into GitHub appears. -1. Login using your user credentials. -1. You'll be asked to authorize Azure Data Factory as an application called *AzureDataFactory*. On this screen, you see an option to grant permission for ADF to access the organization. If you don't see the option to grant permission, ask an admin to manually grant the permission through GitHub. +1. Sign in using your user credentials. +1. You are asked to authorize Azure Data Factory as an application called *AzureDataFactory*. On this screen, you see an option to grant permission for ADF to access the organization. If you don't see the option to grant permission, ask an admin to manually grant the permission through GitHub. -Once you follow these steps, your factory can connect to both public and private repositories within your organization. If you are unable to connect, try clearing the browser cache and retrying. +Once you follow these steps, your factory can connect to both public and private repositories within your organization. If you're unable to connect, try clearing the browser cache and retrying. #### Already connected to public GitHub or GitHub Enterprise Cloud using a personal account -If you have already connected to public GitHub or GitHub Enterprise Cloud and only granted permission to access a personal account, follow the below steps to grant permissions to an organization. +If you already connected to public GitHub or GitHub Enterprise Cloud and only granted permission to access a personal account, follow the below steps to grant permissions to an organization. 1. Go to GitHub and open **Settings**. @@ -232,7 +230,7 @@ If you connect to GitHub Enterprise Server, you need to use a personal access to ### Known GitHub limitations -- You can store script and data files in a GitHub repository. However, you have to upload the files manually to Azure Storage. A Data Factory pipeline does not automatically upload script or data files stored in a GitHub repository to Azure Storage. +- You can store script and data files in a GitHub repository. However, you have to upload the files manually to Azure Storage. A Data Factory pipeline doesn't automatically upload script or data files stored in a GitHub repository to Azure Storage. - GitHub Enterprise with a version older than 2.14.0 doesn't work in the Microsoft Edge browser. diff --git a/articles/data-factory/tutorial-hybrid-copy-powershell.md b/articles/data-factory/tutorial-hybrid-copy-powershell.md index c3c9acffd4dd5..94fe695b4701b 100644 --- a/articles/data-factory/tutorial-hybrid-copy-powershell.md +++ b/articles/data-factory/tutorial-hybrid-copy-powershell.md @@ -707,7 +707,7 @@ The pipeline automatically creates the output folder named *fromonprem* in the ` 1. Select `fromonprem` in the list of folders. 1. Confirm that you see a file named `dbo.emp.txt`. - :::image type="content" source="media/tutorial-hybrid-copy-powershell/fromonprem-file.png" alt-text="Output file"::: + :::image type="content" source="media/tutorial-hybrid-copy-powershell/from-on-premises-file.png" alt-text="Output file"::: ## Related content diff --git a/articles/data-manager-for-agri/concepts-llm-apis.md b/articles/data-manager-for-agri/concepts-llm-apis.md index 9156cc09c9f12..241b74370e475 100644 --- a/articles/data-manager-for-agri/concepts-llm-apis.md +++ b/articles/data-manager-for-agri/concepts-llm-apis.md @@ -1,19 +1,23 @@ --- -title: Using LLM APIs in Azure Data Manager for Agriculture -description: Provides information on using natural language to query Azure Data Manager for Agriculture APIs +title: Using generative AI in Data Manager for Agriculture +description: Provides information on using generative AI feature in Azure Data Manager for Agriculture author: gourdsay ms.author: angour ms.service: data-manager-for-agri ms.topic: conceptual -ms.date: 11/14/2023 +ms.date: 3/19/2024 ms.custom: template-concept --- -# About Azure Data Manager for Agriculture LLM APIs +# About Generative AI and Data Manager for Agriculture -Azure Data Manager for Agriculture brings together and transforms data to simplify the process of building digital agriculture and sustainability applications. With new large language model (LLM) APIs, others can develop copilots that turn data into insights on yield, labor needs, harvest windows and more—bringing generative AI to life in agriculture. +The copilot templates for agriculture enable seamless retrieval of data stored in Data Manager for Agriculture so that farming-related context and insights can be queried in conversational context. These capabilities enable customers and partners to build their own agriculture copilots. Customers and partners can deliver insights to users around disease, yield, harvest windows and more, using actual planning, and observational data. While Data Manager for Agriculture isn't required to operationalize copilot templates for agriculture, the Data Manager enables customers to more easily integrate generative AI scenarios for their users. -Our LLM capability enables seamless selection of APIs mapped to farm operations today. In the time to come we'll add the capability to select APIs mapped to soil sensors, weather, and imagery type of data. The skills in our LLM capability allow for a combination of results, calculation of area, ranking, summarizing to help serve customer prompts. Our B2B customers can take the context from our data manager, add their own knowledge base, and get summaries, insights and answers to their data questions through our data manager LLM plugin using natural language. +Many customers have proprietary data outside of our data manager, for example Agronomy PDFs, market price data etc. These customers can benefit from our orchestration framework that allows for plugins, embedded data structures, and sub processes to be selected as part of the query flow. + +Customers with farm operations data in our data manager can use our plugins that enable seamless selection of APIs mapped to farm operations today. In the time to come we'll add the capability to select APIs mapped to soil sensors, weather, and imagery type of data. Our data manager focused plugin allows for a combination of results, calculation of area, ranking, summarizing to help serve customer prompts. + +Our copilot templates for agriculture make generative AI in agriculture a reality. > [!NOTE] >Azure might include preview, beta, or other pre-release features, services, software, or regions offered by Microsoft for optional evaluation ("Previews"). Previews are licensed to you as part of [**your agreement**](https://azure.microsoft.com/support) governing use of Azure, and subject to terms applicable to "Previews". @@ -24,7 +28,7 @@ Our LLM capability enables seamless selection of APIs mapped to farm operations ## Prerequisites - An instance of [Azure Data Manager for Agriculture](quickstart-install-data-manager-for-agriculture.md) -- An instance of [Azure OpenAI](../ai-services/openai/how-to/create-resource.md) created in your Azure subscription. +- An instance of [Azure OpenAI](../ai-services/openai/how-to/create-resource.md) created in your Azure subscription - You need [Azure Key Vault](../key-vault/general/quick-create-portal.md) - You need [Azure Container Registry](../container-registry/container-registry-get-started-portal.md) @@ -32,15 +36,15 @@ Our LLM capability enables seamless selection of APIs mapped to farm operations >To get started with testing our Azure Data Manager for Agriculture LLM Plugin APIs please fill in this onboarding [**form**](https://forms.office.com/r/W4X381q2rd). In case you need help then reach out to us at madma@microsoft.com. ## High level architecture -The customer has full control as key component deployment is within the customer tenant. Our feature is available to customers via a docker container, which needs to be deployed to the customers Azure App Service. +The customer has full control as key component deployment is within the customer tenant. Our feature is available to customers via a docker container, which needs to be deployed to the customers Azure App Service. :::image type="content" source="./media/concepts-llm-apis/high-level-architecture.png" alt-text="Screenshot showing high level feature architecture."::: -We recommend that you apply content and safety filters on your Azure OpenAI instance. Taking this step ensures that the LLM capability is aligned with guidelines from Microsoft’s Office of Responsible AI. Follow instructions on how to use content filters with Azure OpenAI service at this [link](../ai-services/openai/how-to/content-filters.md) to get started. +We recommend that you apply content and safety filters on your Azure OpenAI instance. Taking this step ensures that the generative AI capability is aligned with guidelines from Microsoft’s Office of Responsible AI. Follow instructions on how to use content filters with Azure OpenAI service at this [link](../ai-services/openai/how-to/content-filters.md) to get started. -## Current uses cases +## Current farm operations related uses cases -We support seamless selection of APIs mapped to farm operations today. This enables use cases that are based on tillage, planting, applications and harvesting type of farm operations. Here's a sample list of queries that you can test and use: +We support seamless selection of APIs mapped to farm operations today. This enables use cases that are based on tillage, planting, applications, and harvesting type of farm operations. Here's a sample list of queries that you can test and use: * Show me active fields * What crop was planted in my field (use field name) @@ -54,9 +58,9 @@ We support seamless selection of APIs mapped to farm operations today. This enab * What is the average yield for my field (use field name) with crop (use crop name) * What is the effect of planting dates on yield for crop (use crop name) -These use cases help input providers to plan equipment, seeds, applications and related services and engage better with the farmer. +These use cases help input providers to plan equipment, seeds, applications, and related services and engage better with the farmer. ## Next steps -* Fill this onboarding [**form**](https://forms.office.com/r/W4X381q2rd) to get started with testing our LLM feature. +* Fill this onboarding [**form**](https://forms.office.com/r/W4X381q2rd) to get started with testing our copilot templates feature. * View our Azure Data Manager for Agriculture APIs [here](/rest/api/data-manager-for-agri). diff --git a/articles/data-manager-for-agri/release-notes.md b/articles/data-manager-for-agri/release-notes.md index 0b2a5a2fdd39e..b507ee1cb3975 100644 --- a/articles/data-manager-for-agri/release-notes.md +++ b/articles/data-manager-for-agri/release-notes.md @@ -23,10 +23,15 @@ Azure Data Manager for Agriculture Preview is updated on an ongoing basis. To st [!INCLUDE [public-preview-notice.md](includes/public-preview-notice.md)] +## March 2024 + +### Copilot Templates for Agriculture +Our copilot templates for agriculture enable seamless retrieval of data stored in our data manager and customers own data. Many customers have proprietary data outside of our data manager, for example Agronomy PDFs, market price data etc. Such customers can benefit from our orchestration framework that allows for plugins, embedded data structures, and sub processes to be selected as part of the query flow. While Data Manager for Agriculture isn't required to operationalize copilot templates for agriculture, the data manager enables customers to more easily integrate generative AI scenarios for their users. Learn more about this [here](concepts-llm-apis.md). + ## November 2023 ### LLM capability -Our LLM capability enables seamless selection of APIs mapped to farm operations today. This enables use cases that are based on tillage, planting, applications and harvesting type of farm operations. In the time to come we'll add the capability to select APIs mapped to soil sensors, weather, and imagery type of data. The skills in our LLM capability allow for a combination of results, calculation of area, ranking, summarizing to help serve customer prompts. These capabilities enable others to build their own agriculture copilots that deliver insights to farmers. Learn more about this [here](concepts-llm-apis.md). +Our LLM capability enables seamless selection of APIs mapped to farm operations today. This enables use cases that are based on tillage, planting, applications, and harvesting type of farm operations. In the time to come we'll add the capability to select APIs mapped to soil sensors, weather, and imagery type of data. The skills in our LLM capability allow for a combination of results, calculation of area, ranking, summarizing to help serve customer prompts. These capabilities enable others to build their own agriculture copilots that deliver insights to farmers. Learn more about this [here](concepts-llm-apis.md). ### Imagery enhancements We improved our satellite ingestion service. The improvements include: @@ -43,7 +48,7 @@ Listing of activities by party ID and by activity ID is consolidated into a more ## October 2023 ### Azure portal experience enhancement -We released a new user friendly experience to install ISV solutions that are available for Azure Data Manager for Agriculture users. You can now go to your Azure Data Manager for Agriculture instance on the Azure portal, view and install available solutions in a seamless user experience. Today the ISV solutions available are from Bayer AgPowered services, you can see the marketplace listing [here](https://azuremarketplace.microsoft.com/marketplace/apps?search=bayer&page=1). You can learn more about installing ISV solutions [here](how-to-set-up-isv-solution.md). +We released a new user friendly experience to install ISV solutions that are available for Azure Data Manager for Agriculture users. You can now go to your Azure Data Manager for Agriculture instance on the Azure portal, view, and install available solutions in a seamless user experience. Today the ISV solutions available are from Bayer AgPowered services, you can see the marketplace listing [here](https://azuremarketplace.microsoft.com/marketplace/apps?search=bayer&page=1). You can learn more about installing ISV solutions [here](how-to-set-up-isv-solution.md). ## July 2023 @@ -51,10 +56,10 @@ We released a new user friendly experience to install ISV solutions that are ava We deprecated the old weather APIs from API version 2023-07-01. The old weather APIs are replaced with new simple yet powerful provider agnostic weather APIs. Have a look at the API documentation [here](/rest/api/data-manager-for-agri/#weather). ### New farm operations connector -We added support for Climate FieldView as a built-in data source. You can now auto sync planting, application and harvest activity files from FieldView accounts directly into Azure Data Manager for Agriculture. Learn more about this [here](concepts-farm-operations-data.md). +We added support for Climate FieldView as a built-in data source. You can now auto sync planting, application, and harvest activity files from FieldView accounts directly into Azure Data Manager for Agriculture. Learn more about this [here](concepts-farm-operations-data.md). ### Common Data Model now with geo-spatial support -We updated our data model to improve flexibility. The boundary object is deprecated in favor of a geometry property that is now supported in nearly all data objects. This change brings consistency to how space is handled across hierarchy, activity and observation themes. It allows for more flexible integration when ingesting data from a provider with strict hierarchy requirements. You can now sync data that might not perfectly align with an existing hierarchy definition and resolve the conflicts with spatial overlap queries. Learn more [here](concepts-hierarchy-model.md). +We updated our data model to improve flexibility. The boundary object is deprecated in favor of a geometry property that is now supported in nearly all data objects. This change brings consistency to how space is handled across hierarchy, activity, and observation themes. It allows for more flexible integration when ingesting data from a provider with strict hierarchy requirements. You can now sync data that might not perfectly align with an existing hierarchy definition and resolve the conflicts with spatial overlap queries. Learn more [here](concepts-hierarchy-model.md). ## June 2023 diff --git a/articles/defender-for-cloud/agentless-vulnerability-assessment-aws.md b/articles/defender-for-cloud/agentless-vulnerability-assessment-aws.md index c117861c59ec5..decb7e9c8e431 100644 --- a/articles/defender-for-cloud/agentless-vulnerability-assessment-aws.md +++ b/articles/defender-for-cloud/agentless-vulnerability-assessment-aws.md @@ -9,7 +9,7 @@ ms.topic: how-to # Vulnerability assessments for AWS with Microsoft Defender Vulnerability Management -Vulnerability assessment for AWS, powered by Microsoft Defender Vulnerability Management, is an out-of-box solution that empowers security teams to easily discover and remediate vulnerabilities in Linux container images, with zero configuration for onboarding, and without deployment of any agents. +Vulnerability assessment for AWS, powered by Microsoft Defender Vulnerability Management, is an out-of-box solution that empowers security teams to easily discover and remediate vulnerabilities in Linux container images, with zero configuration for onboarding, and without deployment of any sensors. > [!NOTE] > This feature supports scanning of images in the ECR only. Images that are stored in other container registries should be imported into ECR for coverage. Learn how to [import container images to a container registry](../container-registry/container-registry-import-images.md). @@ -47,7 +47,7 @@ The triggers for an image scan are: - **Re-scan** is performed once a day for: - Images pushed in the last 90 days. - Images pulled in the last 30 days. - - Images currently running on the Kubernetes clusters monitored by Defender for Cloud (either via [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or the [Defender agent](defender-for-containers-enable.md#enablement-method-per-capability)). + - Images currently running on the Kubernetes clusters monitored by Defender for Cloud (either via [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability)). ## How does image scanning work? @@ -58,9 +58,9 @@ A detailed description of the scan process is described as follows: - Once a day, and for new images pushed to a registry: - All newly discovered images are pulled, and an inventory is created for each image. Image inventory is kept to avoid further image pulls, unless required by new scanner capabilities.​ - - Using the inventory, vulnerability reports are generated for new images, and updated for images previously scanned which were either pushed in the last 90 days to a registry, or are currently running. To determine if an image is currently running, Defender for Cloud uses both [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) and [inventory collected via the Defender agent running on EKS nodes](defender-for-containers-enable.md#enablement-method-per-capability) + - Using the inventory, vulnerability reports are generated for new images, and updated for images previously scanned which were either pushed in the last 90 days to a registry, or are currently running. To determine if an image is currently running, Defender for Cloud uses both [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) and [inventory collected via the Defender sensor running on EKS nodes](defender-for-containers-enable.md#enablement-method-per-capability) - Vulnerability reports for registry container images are provided as a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainerRegistryRecommendationDetailsBlade/assessmentKey/c27441ae-775c-45be-8ffa-655de37362ce). -- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender agent running on EKS nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/ContainersRuntimeRecommendationDetailsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5) for remediating vulnerabilities for vulnerable images running on an EKS cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender agent](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours. +- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender sensor running on EKS nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/ContainersRuntimeRecommendationDetailsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5) for remediating vulnerabilities for vulnerable images running on an EKS cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours. > [!NOTE] > For [Defender for Container Registries (deprecated)](defender-for-container-registries-introduction.md), images are scanned once on push, on pull, and rescanned only once a week. diff --git a/articles/defender-for-cloud/agentless-vulnerability-assessment-azure.md b/articles/defender-for-cloud/agentless-vulnerability-assessment-azure.md index 2e773bd14cdeb..2f33bc46db590 100644 --- a/articles/defender-for-cloud/agentless-vulnerability-assessment-azure.md +++ b/articles/defender-for-cloud/agentless-vulnerability-assessment-azure.md @@ -46,7 +46,7 @@ The triggers for an image scan are: - **Re-scan** is performed once a day for: - Images pushed in the last 90 days. - Images pulled in the last 30 days. - - Images currently running on the Kubernetes clusters monitored by Defender for Cloud (either via [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or the [Defender agent](defender-for-containers-enable.md#enablement-method-per-capability)). + - Images currently running on the Kubernetes clusters monitored by Defender for Cloud (either via [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability)). ## How does image scanning work? @@ -58,9 +58,9 @@ A detailed description of the scan process is described as follows: - Once a day, and for new images pushed to a registry: - All newly discovered images are pulled, and an inventory is created for each image. Image inventory is kept to avoid further image pulls, unless required by new scanner capabilities.​ - - Using the inventory, vulnerability reports are generated for new images, and updated for images previously scanned which were either pushed in the last 90 days to a registry, or are currently running. To determine if an image is currently running, Defender for Cloud uses both [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) and [inventory collected via the Defender agent running on AKS nodes](defender-for-containers-enable.md#enablement-method-per-capability) + - Using the inventory, vulnerability reports are generated for new images, and updated for images previously scanned which were either pushed in the last 90 days to a registry, or are currently running. To determine if an image is currently running, Defender for Cloud uses both [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) and [inventory collected via the Defender sensor running on AKS nodes](defender-for-containers-enable.md#enablement-method-per-capability) - Vulnerability reports for registry container images are provided as a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AzureContainerRegistryRecommendationDetailsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5). -- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender agent running on AKS nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/ContainersRuntimeRecommendationDetailsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5) for remediating vulnerabilities for vulnerable images running on an AKS cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender agent](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours. +- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender sensor running on AKS nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/ContainersRuntimeRecommendationDetailsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5) for remediating vulnerabilities for vulnerable images running on an AKS cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours. > [!NOTE] > For [Defender for Container Registries (deprecated)](defender-for-container-registries-introduction.md), images are scanned once on push, on pull, and rescanned only once a week. diff --git a/articles/defender-for-cloud/agentless-vulnerability-assessment-gcp.md b/articles/defender-for-cloud/agentless-vulnerability-assessment-gcp.md index f3fcddbe92f62..25850f0fd4d31 100644 --- a/articles/defender-for-cloud/agentless-vulnerability-assessment-gcp.md +++ b/articles/defender-for-cloud/agentless-vulnerability-assessment-gcp.md @@ -9,7 +9,7 @@ ms.topic: how-to # Vulnerability assessments for GCP with Microsoft Defender Vulnerability Management -Vulnerability assessment for GCP, powered by Microsoft Defender Vulnerability Management, is an out-of-box solution that empowers security teams to easily discover and remediate vulnerabilities in Linux container images, with zero configuration for onboarding, and without deployment of any agents. +Vulnerability assessment for GCP, powered by Microsoft Defender Vulnerability Management, is an out-of-box solution that empowers security teams to easily discover and remediate vulnerabilities in Linux container images, with zero configuration for onboarding, and without deployment of any sensors. In every account where enablement of this capability is completed, all images stored in Google Registries (GAR and GCR) that meet the criteria for scan triggers are scanned for vulnerabilities without any extra configuration of users or registries. Recommendations with vulnerability reports are provided for all images in Google Registries (GAR and GCR), images that are currently running in GKE that were pulled from Google Registries (GAR and GCR) or any other Defender for Cloud supported registry (ACR or ECR). Images are scanned shortly after being added to a registry, and rescanned for new vulnerabilities once every 24 hours. @@ -44,7 +44,7 @@ The triggers for an image scan are: - **Re-scan** is performed once a day for: - Images pushed in the last 90 days. - Images pulled in the last 30 days. - - Images currently running on the Kubernetes clusters monitored by Defender for Cloud (either via [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or the [Defender agent](defender-for-containers-enable.md#enablement-method-per-capability)). + - Images currently running on the Kubernetes clusters monitored by Defender for Cloud (either via [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability)). ## How does image scanning work? @@ -55,9 +55,9 @@ A detailed description of the scan process is described as follows: - Once a day, and for new images pushed to a registry: - All newly discovered images are pulled, and an inventory is created for each image. Image inventory is kept to avoid further image pulls, unless required by new scanner capabilities.​ - - Using the inventory, vulnerability reports are generated for new images, and updated for images previously scanned which were either pushed in the last 90 days to a registry, or are currently running. To determine if an image is currently running, Defender for Cloud uses both [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) and [inventory collected via the Defender agent running on GKE nodes](defender-for-containers-enable.md#enablement-method-per-capability) + - Using the inventory, vulnerability reports are generated for new images, and updated for images previously scanned which were either pushed in the last 90 days to a registry, or are currently running. To determine if an image is currently running, Defender for Cloud uses both [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) and [inventory collected via the Defender sensor running on GKE nodes](defender-for-containers-enable.md#enablement-method-per-capability) - Vulnerability reports for registry container images are provided as a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainerRegistryRecommendationDetailsBlade/assessmentKey/5cc3a2c1-8397-456f-8792-fe9d0d4c9145). -- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender agent running on GKE nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainersRuntimeRecommendationDetailsBlade/assessmentKey/e538731a-80c8-4317-a119-13075e002516) for remediating vulnerabilities for vulnerable images running on a GKE cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender agent](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours. +- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender sensor running on GKE nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainersRuntimeRecommendationDetailsBlade/assessmentKey/e538731a-80c8-4317-a119-13075e002516) for remediating vulnerabilities for vulnerable images running on a GKE cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours. > [!NOTE] > For [Defender for Container Registries (deprecated)](defender-for-container-registries-introduction.md), images are scanned once on push, on pull, and rescanned only once a week. diff --git a/articles/defender-for-cloud/alert-validation.md b/articles/defender-for-cloud/alert-validation.md index 740937628ecda..3c28fa143b4d2 100644 --- a/articles/defender-for-cloud/alert-validation.md +++ b/articles/defender-for-cloud/alert-validation.md @@ -99,7 +99,7 @@ You can simulate alerts for both of the control plane, and workload alerts with **Prerequisites** - Ensure the Defender for Containers plan is enabled. -- **Arc only** - Ensure the [Defender agent](defender-for-cloud-glossary.md#defender-agent) is installed. +- **Arc only** - Ensure the [Defender sensor](defender-for-cloud-glossary.md#defender-sensor) is installed. - **EKS or GKE only** - Ensure the default audit log collection autoprovisioning options are enabled. **To simulate a Kubernetes control plane security alert**: @@ -123,7 +123,7 @@ You can simulate alerts for both of the control plane, and workload alerts with **Prerequisites** - Ensure the Defender for Containers plan is enabled. -- Ensure the [Defender agent](defender-for-cloud-glossary.md#defender-agent) is installed. +- Ensure the [Defender sensor](defender-for-cloud-glossary.md#defender-sensor) is installed. **To simulate a Kubernetes workload security alert**: diff --git a/articles/defender-for-cloud/common-questions-microsoft-defender-vulnerability-management.md b/articles/defender-for-cloud/common-questions-microsoft-defender-vulnerability-management.md index eaabeb6b52a79..46d21c812a065 100644 --- a/articles/defender-for-cloud/common-questions-microsoft-defender-vulnerability-management.md +++ b/articles/defender-for-cloud/common-questions-microsoft-defender-vulnerability-management.md @@ -24,10 +24,10 @@ No. The cost of the vulnerability assessment scanning is included in Defender fo No. Each unique image is billed once according to the pricing of the Defender plan enabled, regardless of scanner. -## Does container vulnerability assessment powered by Microsoft Defender Vulnerability Management require an agent? +## Does container vulnerability assessment powered by Microsoft Defender Vulnerability Management require a sensor? Vulnerability assessment for container images in the registry is agentless. -Vulnerability assessment for runtime supports both agentless and agent-based deployment. This approach allows us to provide maximum visibility when vulnerability assessment is enabled, while providing improved refresh rate for image inventory on clusters running our agent. +Vulnerability assessment for runtime supports both agentless and sensor-based deployment. This approach allows us to provide maximum visibility when vulnerability assessment is enabled, while providing improved refresh rate for image inventory on clusters running our sensor. ## How complicated is it to enable container vulnerability assessment powered by Microsoft Defender Vulnerability Management? diff --git a/articles/defender-for-cloud/concept-agentless-containers.md b/articles/defender-for-cloud/concept-agentless-containers.md index 56a9d2d4de104..12f5cd3dd50f8 100644 --- a/articles/defender-for-cloud/concept-agentless-containers.md +++ b/articles/defender-for-cloud/concept-agentless-containers.md @@ -1,6 +1,6 @@ --- title: Agentless container posture in Defender CSPM -description: Learn how agentless container posture offers discovery, visibility, and vulnerability assessment for containers without installing an agent on your machines. +description: Learn how agentless container posture offers discovery, visibility, and vulnerability assessment for containers without installing a sensor on your machines. ms.service: defender-for-cloud ms.topic: conceptual ms.date: 12/12/2023 diff --git a/articles/defender-for-cloud/defender-for-cloud-glossary.md b/articles/defender-for-cloud/defender-for-cloud-glossary.md index 46b00daa5463d..facabf0bcf55e 100644 --- a/articles/defender-for-cloud/defender-for-cloud-glossary.md +++ b/articles/defender-for-cloud/defender-for-cloud-glossary.md @@ -127,9 +127,9 @@ Cloud Workload Protection Platform. See [CWPP](./overview-page.md). Data-aware security posture automatically discovers datastores containing sensitive data, and helps reduce risk of data breaches. Learn about [data-aware security posture](concept-data-security-posture.md). -### Defender agent +### Defender sensor -The DaemonSet that is deployed on each node, collects signals from hosts using eBPF technology, and provides runtime protection. The agent is registered with a Log Analytics workspace, and used as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace. It's deployed under AKS Security profile in AKS clusters and as an Arc extension in Arc enabled Kubernetes clusters. For more information, see [Architecture for each Kubernetes environment](defender-for-containers-architecture.md#architecture-for-each-kubernetes-environment). +The DaemonSet that is deployed on each node, collects signals from hosts using eBPF technology, and provides runtime protection. The sensor is registered with a Log Analytics workspace, and used as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace. It's deployed under AKS Security profile in AKS clusters and as an Arc extension in Arc enabled Kubernetes clusters. For more information, see [Architecture for each Kubernetes environment](defender-for-containers-architecture.md#architecture-for-each-kubernetes-environment). ### **DDOS Attack** diff --git a/articles/defender-for-cloud/defender-for-containers-architecture.md b/articles/defender-for-cloud/defender-for-containers-architecture.md index 53fcf6d9db8e9..49aa207ae885d 100644 --- a/articles/defender-for-cloud/defender-for-containers-architecture.md +++ b/articles/defender-for-cloud/defender-for-containers-architecture.md @@ -39,12 +39,12 @@ To learn more about implementation details such as supported operating systems, When Defender for Cloud protects a cluster hosted in Azure Kubernetes Service, the collection of audit log data is agentless and collected automatically through Azure infrastructure with no additional cost or configuration considerations. These are the required components in order to receive the full protection offered by Microsoft Defender for Containers: -- **Defender agent**: The DaemonSet that is deployed on each node, collects signals from hosts using [eBPF technology](https://ebpf.io/), and provides runtime protection. The agent is registered with a Log Analytics workspace, and used as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace. The Defender agent is deployed as an AKS Security profile. +- **Defender sensor**: The DaemonSet that is deployed on each node, collects signals from hosts using [eBPF technology](https://ebpf.io/), and provides runtime protection. The sensor is registered with a Log Analytics workspace, and used as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace. The Defender sensor is deployed as an AKS Security profile. - **Azure Policy for Kubernetes**: A pod that extends the open-source [Gatekeeper v3](https://github.com/open-policy-agent/gatekeeper) and registers as a web hook to Kubernetes admission control making it possible to apply at-scale enforcements, and safeguards on your clusters in a centralized, consistent manner. The Azure Policy for Kubernetes pod is deployed as an AKS add-on. It's only installed on one node in the cluster. For more information, see [Protect your Kubernetes workloads](kubernetes-workload-protections.md) and [Understand Azure Policy for Kubernetes clusters](../governance/policy/concepts/policy-for-kubernetes.md). :::image type="content" source="./media/defender-for-containers/architecture-aks-cluster.png" alt-text="Diagram of high-level architecture of the interaction between Microsoft Defender for Containers, Azure Kubernetes Service, and Azure Policy." lightbox="./media/defender-for-containers/architecture-aks-cluster.png"::: -### Defender agent component details +### Defender sensor component details | Pod Name | Namespace | Kind | Short Description | Capabilities | Resource limits | Egress Required | |--|--|--|--|--|--|--| @@ -84,9 +84,9 @@ When you enable the agentless discovery for Kubernetes extension, the following These components are required in order to receive the full protection offered by Microsoft Defender for Containers: -- **[Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md)** - Azure Arc-enabled Kubernetes - An agent based solution, installed on one node in the cluster, that connects your clusters to Defender for Cloud. Defender for Cloud is then able to deploy the following two agents as [Arc extensions](../azure-arc/kubernetes/extensions.md): +- **[Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md)** - Azure Arc-enabled Kubernetes - An sensor based solution, installed on one node in the cluster, that connects your clusters to Defender for Cloud. Defender for Cloud is then able to deploy the following two agents as [Arc extensions](../azure-arc/kubernetes/extensions.md): -- **Defender agent**: The DaemonSet that is deployed on each node, collects host signals using [eBPF technology](https://ebpf.io/) and Kubernetes audit logs, to provide runtime protection. The agent is registered with a Log Analytics workspace, and used as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace. The Defender agent is deployed as an Arc-enabled Kubernetes extension. +- **Defender sensor**: The DaemonSet that is deployed on each node, collects host signals using [eBPF technology](https://ebpf.io/) and Kubernetes audit logs, to provide runtime protection. The sensor is registered with a Log Analytics workspace, and used as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace. The Defender sensor is deployed as an Arc-enabled Kubernetes extension. - **Azure Policy for Kubernetes**: A pod that extends the open-source [Gatekeeper v3](https://github.com/open-policy-agent/gatekeeper) and registers as a web hook to Kubernetes admission control making it possible to apply at-scale enforcements, and safeguards on your clusters in a centralized, consistent manner. The Azure Policy for Kubernetes pod is deployed as an Arc-enabled Kubernetes extension. It's only installed on one node in the cluster. For more information, see [Protect your Kubernetes workloads](kubernetes-workload-protections.md) and [Understand Azure Policy for Kubernetes clusters](../governance/policy/concepts/policy-for-kubernetes.md). @@ -102,8 +102,8 @@ These components are required in order to receive the full protection offered by When Defender for Cloud protects a cluster hosted in Elastic Kubernetes Service, the collection of audit log data is agentless. These are the required components in order to receive the full protection offered by Microsoft Defender for Containers: - **[Kubernetes audit logs](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/)** – [AWS account’s CloudWatch](https://aws.amazon.com/cloudwatch/) enables, and collects audit log data through an agentless collector, and sends the collected information to the Microsoft Defender for Cloud backend for further analysis. -- **[Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md)** - Azure Arc-enabled Kubernetes - An agent based solution, installed on one node in the cluster, that connects your clusters to Defender for Cloud. Defender for Cloud is then able to deploy the following two agents as [Arc extensions](../azure-arc/kubernetes/extensions.md): -- **Defender agent**: The DaemonSet that is deployed on each node, collects signals from hosts using [eBPF technology](https://ebpf.io/), and provides runtime protection. The agent is registered with a Log Analytics workspace, and used as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace. The Defender agent is deployed as an Arc-enabled Kubernetes extension. +- **[Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md)** - Azure Arc-enabled Kubernetes - A sensor based solution, installed on one node in the cluster, that connects your clusters to Defender for Cloud. Defender for Cloud is then able to deploy the following two agents as [Arc extensions](../azure-arc/kubernetes/extensions.md): +- **Defender sensor**: The DaemonSet that is deployed on each node, collects signals from hosts using [eBPF technology](https://ebpf.io/), and provides runtime protection. The sensor is registered with a Log Analytics workspace, and used as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace. The Defender sensor is deployed as an Arc-enabled Kubernetes extension. - **Azure Policy for Kubernetes**: A pod that extends the open-source [Gatekeeper v3](https://github.com/open-policy-agent/gatekeeper) and registers as a web hook to Kubernetes admission control making it possible to apply at-scale enforcements, and safeguards on your clusters in a centralized, consistent manner. The Azure Policy for Kubernetes pod is deployed as an Arc-enabled Kubernetes extension. It's only installed on one node in the cluster. For more information, see [Protect your Kubernetes workloads](kubernetes-workload-protections.md) and [Understand Azure Policy for Kubernetes clusters](../governance/policy/concepts/policy-for-kubernetes.md). > [!NOTE] @@ -135,8 +135,8 @@ When Defender for Cloud protects a cluster hosted in Google Kubernetes Engine, t - **[Kubernetes audit logs](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/)** – [GCP Cloud Logging](https://cloud.google.com/logging/) enables, and collects audit log data through an agentless collector, and sends the collected information to the Microsoft Defender for Cloud backend for further analysis. -- **[Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md)** - Azure Arc-enabled Kubernetes - An agent based solution, installed on one node in the cluster, that connects your clusters to Defender for Cloud. Defender for Cloud is then able to deploy the following two agents as [Arc extensions](../azure-arc/kubernetes/extensions.md): -- **Defender agent**: The DaemonSet that is deployed on each node, collects signals from hosts using [eBPF technology](https://ebpf.io/), and provides runtime protection. The agent is registered with a Log Analytics workspace, and used as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace. The Defender agent is deployed as an Arc-enabled Kubernetes extension. +- **[Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md)** - Azure Arc-enabled Kubernetes - A sensor based solution, installed on one node in the cluster, that connects your clusters to Defender for Cloud. Defender for Cloud is then able to deploy the following two agents as [Arc extensions](../azure-arc/kubernetes/extensions.md): +- **Defender sensor**: The DaemonSet that is deployed on each node, collects signals from hosts using [eBPF technology](https://ebpf.io/), and provides runtime protection. The sensor is registered with a Log Analytics workspace, and used as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace. The Defender sensor is deployed as an Arc-enabled Kubernetes extension. - **Azure Policy for Kubernetes**: A pod that extends the open-source [Gatekeeper v3](https://github.com/open-policy-agent/gatekeeper) and registers as a web hook to Kubernetes admission control making it possible to apply at-scale enforcements, and safeguards on your clusters in a centralized, consistent manner. The Azure Policy for Kubernetes pod is deployed as an Arc-enabled Kubernetes extension. It only needs to be installed on one node in the cluster. For more information, see [Protect your Kubernetes workloads](kubernetes-workload-protections.md) and [Understand Azure Policy for Kubernetes clusters](../governance/policy/concepts/policy-for-kubernetes.md). > [!NOTE] diff --git a/articles/defender-for-cloud/defender-for-containers-enable.md b/articles/defender-for-cloud/defender-for-containers-enable.md index 6b777667f56ac..e2c58f7ec438b 100644 --- a/articles/defender-for-cloud/defender-for-containers-enable.md +++ b/articles/defender-for-cloud/defender-for-containers-enable.md @@ -91,7 +91,7 @@ A full list of supported alerts is available in the [reference table of all Defe :::image type="content" source="media/defender-for-kubernetes-azure-arc/sample-kubernetes-security-alert.png" alt-text="Sample alert from Microsoft Defender for Kubernetes." lightbox="media/defender-for-kubernetes-azure-arc/sample-kubernetes-security-alert.png"::: ::: zone pivot="defender-for-container-arc,defender-for-container-eks,defender-for-container-gke" -[!INCLUDE [Remove the agent](./includes/defender-for-containers-remove-extension.md)] +[!INCLUDE [Remove the sensor](./includes/defender-for-containers-remove-extension.md)] ::: zone-end ::: zone pivot="defender-for-container-aks" @@ -103,7 +103,7 @@ A full list of supported alerts is available in the [reference table of all Defe ::: zone-end ::: zone pivot="defender-for-container-aks" -[!INCLUDE [Remove the agent](./includes/defender-for-containers-remove-profile.md)] +[!INCLUDE [Remove the sensor](./includes/defender-for-containers-remove-profile.md)] ::: zone-end ## Learn more diff --git a/articles/defender-for-cloud/defender-for-containers-introduction.md b/articles/defender-for-cloud/defender-for-containers-introduction.md index e34b2483e5c05..2a04d3c571245 100644 --- a/articles/defender-for-cloud/defender-for-containers-introduction.md +++ b/articles/defender-for-cloud/defender-for-containers-introduction.md @@ -19,7 +19,7 @@ Defender for Containers assists you with four core domains of container security - [**Run-time threat protection**](#run-time-protection-for-kubernetes-nodes-and-clusters) - a rich threat detection suite for Kubernetes clusters, nodes, and workloads, powered by Microsoft leading threat intelligence, provides mapping to MITRE ATT&CK framework for easy understanding of risk and relevant context, automated response, and SIEM/XDR integration. -- **Deployment & monitoring**- Monitors your Kubernetes clusters for missing agents and provides frictionless at-scale deployment for agent-based capabilities, support for standard Kubernetes monitoring tools, and management of unmonitored resources. +- **Deployment & monitoring**- Monitors your Kubernetes clusters for missing sensors and provides frictionless at-scale deployment for sensor-based capabilities, support for standard Kubernetes monitoring tools, and management of unmonitored resources. You can learn more by watching this video from the Defender for Cloud in the Field video series: [Microsoft Defender for Containers](episode-three.md). @@ -52,7 +52,7 @@ You can learn more by watching this video from the Defender for Cloud in the Fie For details included with this capability, check out the [containers section](recommendations-reference.md#container-recommendations) of the recommendations reference table, and look for recommendations with type "Control plane" -### Agent-based capabilities +### Sensor-based capabilities **Kubernetes data plane hardening** - To protect the workloads of your Kubernetes containers with best practice recommendations, you can install the [Azure Policy for Kubernetes](../governance/policy/concepts/policy-for-kubernetes.md). Learn more about [monitoring components](monitoring-components.md) for Defender for Cloud. @@ -78,7 +78,7 @@ Learn more about: Defender for Containers provides real-time threat protection for [supported containerized environments](support-matrix-defender-for-containers.md) and generates alerts for suspicious activities. You can use this information to quickly remediate security issues and improve the security of your containers. -Threat protection is provided for Kubernetes at cluster level, node level, and workload level and includes both agent based coverage that requires the [Defender agent](defender-for-cloud-glossary.md#defender-agent) and agentless coverage that is based on analysis of the Kubernetes audit logs. Security alerts are only triggered for actions and deployments that occur after you enabled Defender for Containers on your subscription. +Threat protection is provided for Kubernetes at cluster level, node level, and workload level and includes both sensor based coverage that requires the [Defender sensor](defender-for-cloud-glossary.md#defender-sensor) and agentless coverage that is based on analysis of the Kubernetes audit logs. Security alerts are only triggered for actions and deployments that occur after you enabled Defender for Containers on your subscription. Examples of security events that Microsoft Defenders for Containers monitors include: diff --git a/articles/defender-for-cloud/enable-vulnerability-assessment.md b/articles/defender-for-cloud/enable-vulnerability-assessment.md index 5bfda6ea4b06a..3d666b837b230 100644 --- a/articles/defender-for-cloud/enable-vulnerability-assessment.md +++ b/articles/defender-for-cloud/enable-vulnerability-assessment.md @@ -8,7 +8,7 @@ ms.date: 12/14/2023 # Enable vulnerability assessment powered by Microsoft Defender Vulnerability Management -Vulnerability assessment powered by Microsoft Defender Vulnerability Management, is an out-of-box solution that empowers security teams to easily discover and remediate vulnerabilities in container images, with zero configuration for onboarding, and without deployment of any agents. +Vulnerability assessment powered by Microsoft Defender Vulnerability Management, is an out-of-box solution that empowers security teams to easily discover and remediate vulnerabilities in container images, with zero configuration for onboarding, and without deployment of any sensors. ## How to enable vulnerability assessment powered by Microsoft Defender Vulnerability Management @@ -30,7 +30,7 @@ A notification message pops up in the top right corner that verifies that the se ## How to enable runtime coverage - For Defender CSPM, use agentless discovery for Kubernetes. For more information, see [Onboard agentless container posture in Defender CSPM](how-to-enable-agentless-containers.md). -- For Defender for Containers, use agentless discovery for Kubernetes or use the Defender agent. For more information, see [Enable the plan](defender-for-containers-enable.md). +- For Defender for Containers, use agentless discovery for Kubernetes or use the Defender sensor. For more information, see [Enable the plan](defender-for-containers-enable.md). - For Defender for Container Registries, there's no runtime coverage. ## Next steps diff --git a/articles/defender-for-cloud/faq-defender-for-containers.yml b/articles/defender-for-cloud/faq-defender-for-containers.yml index 9701375359207..479c4141e6c6e 100644 --- a/articles/defender-for-cloud/faq-defender-for-containers.yml +++ b/articles/defender-for-cloud/faq-defender-for-containers.yml @@ -47,7 +47,7 @@ sections: - question: | I deleted my default workspace, how can I get it back? answer: | - To recover your default workspace, you need to remove the [Defender agent](defender-for-cloud-glossary.md#defender-agent), and reinstall the agent. Reinstalling the Defender agent creates a new default workspace. + To recover your default workspace, you need to remove the [Defender sensor](defender-for-cloud-glossary.md#defender-sensor), and reinstall the sensor. Reinstalling the Defender sensor creates a new default workspace. - question: | Where is the default Log Analytics workspace located? @@ -55,11 +55,11 @@ sections: Depending on your region, the default Log Analytics workspace might be located in various locations. To check your region see [Where is the default Log Analytics workspace created?](faq-data-collection-agents.yml) - question: | - My organization requires me to tag my resources, and the required agent didn't get installed, what went wrong? + My organization requires me to tag my resources, and the required sensor didn't get installed, what went wrong? answer: | - The [Defender agent](defender-for-cloud-glossary.md#defender-agent) uses the Log analytics workspace to send data from your Kubernetes clusters to Defender for Cloud. The Defender for Cloud adds the Log analytic workspace and the resource group as a parameter for the agent to use. + The [Defender sensor](defender-for-cloud-glossary.md#defender-sensor) uses the Log analytics workspace to send data from your Kubernetes clusters to Defender for Cloud. The Defender for Cloud adds the Log analytic workspace and the resource group as a parameter for the sensor to use. - However, if your organization has a policy that requires a specific tag on your resources, it might cause the agent installation to fail during the resource group or the default workspace creation stage. If it fails, you can either: + However, if your organization has a policy that requires a specific tag on your resources, it might cause the sensor installation to fail during the resource group or the default workspace creation stage. If it fails, you can either: - [Assign a custom workspace](defender-for-containers-enable.md?pivots=defender-for-container-aks&tabs=aks-deploy-portal%2ck8s-deploy-asc%2ck8s-verify-asc%2ck8s-remove-arc%2caks-removeprofile-api#assign-a-custom-workspace) and add any tag your organization requires. @@ -196,7 +196,7 @@ sections: - Destination: `0.0.0.0/0`; Target: Internet Gateway with the tag `name` and the value `defender-for-containers-va` - Destination: `10.0.0.0/16`; Target: `local` - To get vulnerability assessments for running images, either enable [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or deploy the [Defender agent](defender-for-containers-enable.md#enablement-method-per-capability) on your Kubernetes clusters. + To get vulnerability assessments for running images, either enable [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or deploy the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability) on your Kubernetes clusters. diff --git a/articles/defender-for-cloud/includes/defender-for-container-prerequisites-aks.md b/articles/defender-for-cloud/includes/defender-for-container-prerequisites-aks.md index d72621719047b..59f60b64e5eff 100644 --- a/articles/defender-for-cloud/includes/defender-for-container-prerequisites-aks.md +++ b/articles/defender-for-cloud/includes/defender-for-container-prerequisites-aks.md @@ -8,7 +8,7 @@ author: dcurwin ## Network requirements -Validate the following endpoints are configured for outbound access so that the Defender agent can connect to Microsoft Defender for Cloud to send security data and events: +Validate the following endpoints are configured for outbound access so that the Defender sensor can connect to Microsoft Defender for Cloud to send security data and events: See the [required FQDN/application rules for Microsoft Defender for Containers](../../aks/outbound-rules-control-egress.md#microsoft-defender-for-containers). diff --git a/articles/defender-for-cloud/includes/defender-for-container-prerequisites-arc-eks-gke.md b/articles/defender-for-cloud/includes/defender-for-container-prerequisites-arc-eks-gke.md index 38a51813ac868..4089e5ef8722b 100644 --- a/articles/defender-for-cloud/includes/defender-for-container-prerequisites-arc-eks-gke.md +++ b/articles/defender-for-cloud/includes/defender-for-container-prerequisites-arc-eks-gke.md @@ -11,7 +11,7 @@ author: dcurwin > [!CAUTION] > This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. -Validate the following endpoints are configured for outbound access so that the Defender agent can connect to Microsoft Defender for Cloud to send security data and events: +Validate the following endpoints are configured for outbound access so that the Defender sensor can connect to Microsoft Defender for Cloud to send security data and events: For public cloud deployments: diff --git a/articles/defender-for-cloud/includes/defender-for-containers-assign-workspace-aks.md b/articles/defender-for-cloud/includes/defender-for-containers-assign-workspace-aks.md index 43f8de5668a6f..17b86400ccd6a 100644 --- a/articles/defender-for-cloud/includes/defender-for-containers-assign-workspace-aks.md +++ b/articles/defender-for-cloud/includes/defender-for-containers-assign-workspace-aks.md @@ -8,9 +8,9 @@ author: dcurwin ## Default Log Analytics workspace for AKS -The Log Analytics workspace is used by the Defender agent as a data pipeline to send data from the cluster to Defender for Cloud without retaining any data in the Log Analytics workspace itself. As a result, users won't be billed in this use case. +The Log Analytics workspace is used by the Defender sensor as a data pipeline to send data from the cluster to Defender for Cloud without retaining any data in the Log Analytics workspace itself. As a result, users won't be billed in this use case. -The Defender agent uses a default Log Analytics workspace. If you don't already have a default Log Analytics workspace, Defender for Cloud will create a new resource group and default workspace when the Defender agent is installed. The default workspace is created based on your [region](../faq-data-collection-agents.yml). +The Defender sensor uses a default Log Analytics workspace. If you don't already have a default Log Analytics workspace, Defender for Cloud will create a new resource group and default workspace when the Defender sensor is installed. The default workspace is created based on your [region](../faq-data-collection-agents.yml). The naming convention for the default Log Analytics workspace and resource group is: diff --git a/articles/defender-for-cloud/includes/defender-for-containers-assign-workspace-arc.md b/articles/defender-for-cloud/includes/defender-for-containers-assign-workspace-arc.md index cfd2bde6a28c0..d722d22a02b25 100644 --- a/articles/defender-for-cloud/includes/defender-for-containers-assign-workspace-arc.md +++ b/articles/defender-for-cloud/includes/defender-for-containers-assign-workspace-arc.md @@ -8,9 +8,9 @@ author: dcurwin ## Default Log Analytics workspace for Arc -The Log Analytics workspace is used by the Defender agent as a data pipeline to send data from the cluster to Defender for Cloud without retaining any data in the Log Analytics workspace itself. As a result, users won't be billed in this use case. +The Log Analytics workspace is used by the Defender sensor as a data pipeline to send data from the cluster to Defender for Cloud without retaining any data in the Log Analytics workspace itself. As a result, users won't be billed in this use case. -The Defender agent uses a default Log Analytics workspace. If you don't already have a default Log Analytics workspace, Defender for Cloud will create a new resource group and default workspace when the Defender agent is installed. The default workspace is created based on your [region](../faq-data-collection-agents.yml). +The Defender sensor uses a default Log Analytics workspace. If you don't already have a default Log Analytics workspace, Defender for Cloud will create a new resource group and default workspace when the Defender sensor is installed. The default workspace is created based on your [region](../faq-data-collection-agents.yml). The naming convention for the default Log Analytics workspace and resource group is: - **Workspace**: DefaultWorkspace-\[subscription-ID]-\[geo] diff --git a/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-aks.md b/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-aks.md index 74e142b1e2c9e..3aa32d182151c 100644 --- a/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-aks.md +++ b/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-aks.md @@ -43,39 +43,39 @@ For detailed information on the enablement method for each one the capabilities, Learn more about the [roles used to provision Defender for Containers extensions](../permissions.md#roles-used-to-automatically-provision-agents-and-extensions). -### Assigning custom workspace for Defender agent +### Assigning custom workspace for Defender sensor You can [assign a custom workspace](../defender-for-containers-enable.md?pivots=defender-for-container-aks&tabs=aks-deploy-portal%2ck8s-deploy-asc%2ck8s-verify-asc%2ck8s-remove-arc%2caks-removeprofile-api#assign-a-custom-workspace) through Azure Policy. -### Manual deployment of Defender agent or Azure policy agent without auto-provisioning using recommendations +### Manual deployment of Defender sensor or Azure policy agent without auto-provisioning using recommendations -Capabilities that require agent installation can also be deployed on one or more Kubernetes clusters, using the appropriate recommendation: +Capabilities that require sensor installation can also be deployed on one or more Kubernetes clusters, using the appropriate recommendation: -| Agent | Recommendation | +| Sensor | Recommendation | |--|--| -| Defender Agent for Kubernetes | [Azure Kubernetes Service clusters should have Defender profile enabled](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/56a83a6e-c417-42ec-b567-1e6fcb3d09a9) | -| Defender Agent for Arc-enabled Kubernetes | [Azure Arc-enabled Kubernetes clusters should have the Defender extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/3ef9848c-c2c8-4ff3-8b9c-4c8eb8ddfce6) | +| Defender Sensor for Kubernetes | [Azure Kubernetes Service clusters should have Defender profile enabled](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/56a83a6e-c417-42ec-b567-1e6fcb3d09a9) | +| Defender Sensor for Arc-enabled Kubernetes | [Azure Arc-enabled Kubernetes clusters should have the Defender extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/3ef9848c-c2c8-4ff3-8b9c-4c8eb8ddfce6) | | Azure policy agent for Kubernetes | [Azure Kubernetes Service clusters should have the Azure Policy Add-on for Kubernetes installed](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/08e628db-e2ed-4793-bc91-d13e684401c3) | | Azure policy agent for Arc-enabled Kubernetes | [Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/0642d770-b189-42ef-a2ce-9dcc3ec6c169) | -Perform the following steps to perform deployment of the Defender agent on specific clusters: +Perform the following steps to perform deployment of the Defender sensor on specific clusters: 1. From Microsoft Defender for Cloud's recommendations page, open the **Enable enhanced security** security control or search directly for one of the above recommendations (or use the above links to open the recommendation directly) -1. View all clusters without an agent via the unhealthy tab. +1. View all clusters without a sensor via the unhealthy tab. -1. Select the clusters to deploy the desired agent on and select **Fix**. +1. Select the clusters to deploy the desired sensor on and select **Fix**. 1. Select **Fix X resources**. -## Deploying Defender agent - all options +## Deploying Defender sensor - all options You can enable the Defender for Containers plan and deploy all of the relevant components from the Azure portal, the REST API, or with a Resource Manager template. For detailed steps, select the relevant tab. -Once the Defender agent has been deployed, a default workspace is automatically assigned. You can [assign a custom workspace](../defender-for-containers-enable.md?pivots=defender-for-container-aks&tabs=aks-deploy-portal%2ck8s-deploy-asc%2ck8s-verify-asc%2ck8s-remove-arc%2caks-removeprofile-api#assign-a-custom-workspace) in place of the default workspace through Azure Policy. +Once the Defender sensor has been deployed, a default workspace is automatically assigned. You can [assign a custom workspace](../defender-for-containers-enable.md?pivots=defender-for-container-aks&tabs=aks-deploy-portal%2ck8s-deploy-asc%2ck8s-verify-asc%2ck8s-remove-arc%2caks-removeprofile-api#assign-a-custom-workspace) in place of the default workspace through Azure Policy. > [!NOTE] -> The Defender agent is deployed to each node to provide the runtime protections and collect signals from those nodes using [eBPF technology](https://ebpf.io/). +> The Defender sensor is deployed to each node to provide the runtime protections and collect signals from those nodes using [eBPF technology](https://ebpf.io/). ### [**Azure portal**](#tab/aks-deploy-portal) @@ -85,8 +85,8 @@ A streamlined, frictionless, process lets you use the Azure portal pages to enab A dedicated Defender for Cloud recommendation provides: -- **Visibility** about which of your clusters has the Defender agent deployed -- **Fix** button to deploy it to those clusters without the agent +- **Visibility** about which of your clusters has the Defender sensor deployed +- **Fix** button to deploy it to those clusters without the sensor 1. From Microsoft Defender for Cloud's recommendations page, open the **Enable enhanced security** security control. @@ -95,7 +95,7 @@ A dedicated Defender for Cloud recommendation provides: > [!TIP] > Notice the **Fix** icon in the actions column -1. Select the clusters to see the details of the healthy and unhealthy resources - clusters with and without the agent. +1. Select the clusters to see the details of the healthy and unhealthy resources - clusters with and without the sensor. 1. From the unhealthy resources list, select a cluster and select **Remediate** to open the pane with the remediation confirmation. @@ -103,7 +103,7 @@ A dedicated Defender for Cloud recommendation provides: ### [**REST API**](#tab/aks-deploy-rest) -### Use the REST API to deploy the Defender agent +### Use the REST API to deploy the Defender sensor To install the 'SecurityProfile' on an existing cluster with the REST API, run the following PUT command: @@ -150,7 +150,7 @@ Request body parameters: ### [**Azure CLI**](#tab/k8s-deploy-cli) -### Use Azure CLI to deploy the Defender agent +### Use Azure CLI to deploy the Defender sensor 1. Sign in to Azure: @@ -162,21 +162,21 @@ Request body parameters: > [!IMPORTANT] > Ensure that you use the same subscription ID for ```` as the one associated with your AKS cluster. -1. Enable the Defender agent on your containers: +1. Enable the Defender sensor on your containers: - - Run the following command to create a new cluster with the Defender agent enabled: + - Run the following command to create a new cluster with the Defender sensor enabled: ```azurecli az aks create --enable-defender --resource-group --name ``` - - Run the following command to enable the Defender agent on an existing cluster: + - Run the following command to enable the Defender sensor on an existing cluster: ```azurecli az aks update --enable-defender --resource-group --name ``` - A description of all the supported configuration settings on the Defender agent type is given below: + A description of all the supported configuration settings on the Defender sensor type is given below: | Property | Description | |----------|-------------| @@ -190,19 +190,19 @@ Request body parameters: Learn more about AKS CLI commands in [az aks](/cli/azure/aks). -1. To verify that the agent was successfully added, run the following command on your machine with the `kubeconfig` file pointed to your cluster: +1. To verify that the sensor was successfully added, run the following command on your machine with the `kubeconfig` file pointed to your cluster: ```console kubectl get pods -n kube-system ``` - When the agent is added, you should see a pod called `microsoft-defender-XXXXX` in `Running` state. It might take a few minutes for pods to be added. + When the sensor is added, you should see a pod called `microsoft-defender-XXXXX` in `Running` state. It might take a few minutes for pods to be added. ### [**Resource Manager**](#tab/aks-deploy-arm) -### Use Azure Resource Manager to deploy the Defender agent +### Use Azure Resource Manager to deploy the Defender sensor -To use Azure Resource Manager to deploy the Defender agent, you'll need a Log Analytics workspace on your subscription. Learn more in [Log Analytics workspaces](../../azure-monitor/logs/log-analytics-workspace-overview.md). +To use Azure Resource Manager to deploy the Defender sensor, you'll need a Log Analytics workspace on your subscription. Learn more in [Log Analytics workspaces](../../azure-monitor/logs/log-analytics-workspace-overview.md). > [!TIP] > If you're new to Resource Manager templates, start here: [What are Azure Resource Manager templates?](../../azure-resource-manager/templates/overview.md) diff --git a/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-arc.md b/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-arc.md index 0114bf49e0318..23a82c8570be0 100644 --- a/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-arc.md +++ b/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-arc.md @@ -49,14 +49,14 @@ Learn more about the [roles used to provision Defender for Containers extensions ## Prerequisites -Before deploying the agent, ensure you: +Before deploying the sensor, ensure you: - [Connect the Kubernetes cluster to Azure Arc](../../azure-arc/kubernetes/quickstart-connect-cluster.md) - Complete the [pre-requisites listed under the generic cluster extensions documentation](../../azure-arc/kubernetes/extensions.md#prerequisites). -## Deploy the Defender agent +## Deploy the Defender sensor -You can deploy the Defender agent using a range of methods. For detailed steps, select the relevant tab. +You can deploy the Defender sensor using a range of methods. For detailed steps, select the relevant tab. ### [**Azure portal**](#tab/k8s-deploy-asc) @@ -64,29 +64,29 @@ You can deploy the Defender agent using a range of methods. For detailed steps, A dedicated Defender for Cloud recommendation provides: -- **Visibility** about which of your clusters has the Defender agent deployed -- **Fix** button to deploy it to those clusters without the agent +- **Visibility** about which of your clusters has the Defender sensor deployed +- **Fix** button to deploy it to those clusters without the sensor 1. From Microsoft Defender for Cloud's recommendations page, open the **Enable enhanced security** security control. 1. Use the filter to find the recommendation named **Azure Arc-enabled Kubernetes clusters should have Defender for Cloud's extension installed**. - :::image type="content" source="../media/defender-for-kubernetes-azure-arc/extension-recommendation.png" alt-text="Microsoft Defender for Cloud's recommendation for deploying the Defender agent for Azure Arc-enabled Kubernetes clusters." lightbox="../media/defender-for-kubernetes-azure-arc/extension-recommendation.png"::: + :::image type="content" source="../media/defender-for-kubernetes-azure-arc/extension-recommendation.png" alt-text="Microsoft Defender for Cloud's recommendation for deploying the Defender sensor for Azure Arc-enabled Kubernetes clusters." lightbox="../media/defender-for-kubernetes-azure-arc/extension-recommendation.png"::: > [!TIP] > Notice the **Fix** icon in the actions column -1. Select the agent to see the details of the healthy and unhealthy resources - clusters with and without the agent. +1. Select the sensor to see the details of the healthy and unhealthy resources - clusters with and without the sensor. 1. From the unhealthy resources list, select a cluster and select **Remediate** to open the pane with the remediation options. 1. Select the relevant Log Analytics workspace and select **Remediate x resource**. - :::image type="content" source="../media/defender-for-kubernetes-azure-arc/security-center-deploy-extension.gif" alt-text="Deploy Defender agent for Azure Arc with Defender for Cloud's 'fix' option."::: + :::image type="content" source="../media/defender-for-kubernetes-azure-arc/security-center-deploy-extension.gif" alt-text="Deploy Defender sensor for Azure Arc with Defender for Cloud's 'fix' option."::: ### [**Azure CLI**](#tab/k8s-deploy-cli) -### Use Azure CLI to deploy the Defender agent +### Use Azure CLI to deploy the Defender sensor 1. Sign in to Azure: @@ -98,13 +98,13 @@ A dedicated Defender for Cloud recommendation provides: > [!IMPORTANT] > Ensure that you use the same subscription ID for ```` as the one that was used when connecting your cluster to Azure Arc. -1. Run the following command to deploy the agent on top of your Azure Arc-enabled Kubernetes cluster: +1. Run the following command to deploy the sensor on top of your Azure Arc-enabled Kubernetes cluster: ```azurecli az k8s-extension create --name microsoft.azuredefender.kubernetes --cluster-type connectedClusters --cluster-name --resource-group --extension-type microsoft.azuredefender.kubernetes ``` - A description of all the supported configuration settings on the Defender agent type is given below: + A description of all the supported configuration settings on the Defender sensor type is given below: | Property | Description | |----------|-------------| @@ -119,9 +119,9 @@ A dedicated Defender for Cloud recommendation provides: ### [**Resource Manager**](#tab/k8s-deploy-resource-manager) -### Use Azure Resource Manager to deploy the Defender agent +### Use Azure Resource Manager to deploy the Defender sensor -To use Azure Resource Manager to deploy the Defender agent, you'll need a Log Analytics workspace on your subscription. Learn more in [Log Analytics workspaces](../../azure-monitor/logs/log-analytics-workspace-overview.md). +To use Azure Resource Manager to deploy the Defender sensor, you'll need a Log Analytics workspace on your subscription. Learn more in [Log Analytics workspaces](../../azure-monitor/logs/log-analytics-workspace-overview.md). You can use the **azure-defender-extension-arm-template.json** Resource Manager template from Defender for Cloud's [installation examples](https://aka.ms/kubernetes-extension-installation-examples). @@ -130,14 +130,14 @@ You can use the **azure-defender-extension-arm-template.json** Resource Manager ### [**REST API**](#tab/k8s-deploy-api) -### Use REST API to deploy the Defender agent +### Use REST API to deploy the Defender sensor -To use the REST API to deploy the Defender agent, you'll need a Log Analytics workspace on your subscription. Learn more in [Log Analytics workspaces](../../azure-monitor/logs/log-analytics-workspace-overview.md). +To use the REST API to deploy the Defender sensor, you'll need a Log Analytics workspace on your subscription. Learn more in [Log Analytics workspaces](../../azure-monitor/logs/log-analytics-workspace-overview.md). > [!TIP] -> The simplest way to use the API to deploy the Defender agent is with the supplied **Postman Collection JSON** example from Defender for Cloud's [installation examples](https://aka.ms/kubernetes-extension-installation-examples). +> The simplest way to use the API to deploy the Defender sensor is with the supplied **Postman Collection JSON** example from Defender for Cloud's [installation examples](https://aka.ms/kubernetes-extension-installation-examples). -- To modify the Postman Collection JSON, or to manually deploy the agent with the REST API, run the following PUT command: +- To modify the Postman Collection JSON, or to manually deploy the sensor with the REST API, run the following PUT command: ```rest PUT https://management.azure.com/subscriptions/{{Subscription Id}}/resourcegroups/{{Resource Group}}/providers/Microsoft.Kubernetes/connectedClusters/{{Cluster Name}}/providers/Microsoft.KubernetesConfiguration/extensions/microsoft.azuredefender.kubernetes?api-version=2020-07-01-preview @@ -183,27 +183,27 @@ To use the REST API to deploy the Defender agent, you'll need a Log Analytics wo ## Verify the deployment -To verify that your cluster has the Defender agent installed on it, follow the steps in one of the tabs below: +To verify that your cluster has the Defender sensor installed on it, follow the steps in one of the tabs below: ### [**Azure portal - Defender for Cloud**](#tab/k8s-verify-asc) -### Use Defender for Cloud recommendation to verify the status of your agent +### Use Defender for Cloud recommendation to verify the status of your sensor 1. From Microsoft Defender for Cloud's recommendations page, open the **Enable Microsoft Defender for Cloud** security control. 1. Select the recommendation named **Azure Arc-enabled Kubernetes clusters should have Microsoft Defender for Cloud's extension installed**. - :::image type="content" source="../media/defender-for-kubernetes-azure-arc/extension-recommendation.png" alt-text="Microsoft Defender for Cloud's recommendation for deploying the Defender agent for Azure Arc-enabled Kubernetes clusters." lightbox="../media/defender-for-kubernetes-azure-arc/extension-recommendation.png"::: + :::image type="content" source="../media/defender-for-kubernetes-azure-arc/extension-recommendation.png" alt-text="Microsoft Defender for Cloud's recommendation for deploying the Defender sensor for Azure Arc-enabled Kubernetes clusters." lightbox="../media/defender-for-kubernetes-azure-arc/extension-recommendation.png"::: -1. Check that the cluster on which you deployed the agent is listed as **Healthy**. +1. Check that the cluster on which you deployed the sensor is listed as **Healthy**. ### [**Azure portal - Azure Arc**](#tab/k8s-verify-arc) -### Use the Azure Arc pages to verify the status of your agent +### Use the Azure Arc pages to verify the status of your sensor 1. From the Azure portal, open **Azure Arc**. 1. From the infrastructure list, select **Kubernetes clusters** and then select the specific cluster. -1. Open the extensions page. The extensions on the cluster are listed. To confirm whether the Defender agent was installed correctly, check the **Install status** column. +1. Open the extensions page. The extensions on the cluster are listed. To confirm whether the Defender sensor was installed correctly, check the **Install status** column. :::image type="content" source="../media/defender-for-kubernetes-azure-arc/extension-installed-clusters-page.png" alt-text="Azure Arc page for checking the status of all installed extensions on a Kubernetes cluster." lightbox="../media/defender-for-kubernetes-azure-arc/extension-installed-clusters-page.png"::: @@ -213,7 +213,7 @@ To verify that your cluster has the Defender agent installed on it, follow the s ### [**Azure CLI**](#tab/k8s-verify-cli) -### Use Azure CLI to verify that the agent is deployed +### Use Azure CLI to verify that the sensor is deployed 1. Run the following command on Azure CLI: @@ -234,9 +234,9 @@ To verify that your cluster has the Defender agent installed on it, follow the s ### [**REST API**](#tab/k8s-verify-api) -### Use the REST API to verify that the agent is deployed +### Use the REST API to verify that the sensor is deployed -To confirm a successful deployment, or to validate the status of your agent at any time: +To confirm a successful deployment, or to validate the status of your sensor at any time: 1. Run the following GET command: diff --git a/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-eks.md b/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-eks.md index f538ca4279ed9..28f3a56a9f980 100644 --- a/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-eks.md +++ b/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-eks.md @@ -53,7 +53,7 @@ To protect your EKS clusters, enable the Containers plan on the relevant account For more information, see [Enabling IAM principal access to your cluster](https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html). -1. Azure Arc-enabled Kubernetes, the Defender agent, and Azure Policy for Kubernetes should be installed and running on your EKS clusters. There is a dedicated Defender for Cloud recommendations to install these extensions (and Azure Arc if necessary): +1. Azure Arc-enabled Kubernetes, the Defender sensor, and Azure Policy for Kubernetes should be installed and running on your EKS clusters. There is a dedicated Defender for Cloud recommendations to install these extensions (and Azure Arc if necessary): - `EKS clusters should have Microsoft Defender's extension for Azure Arc installed` For each of the recommendations, follow the steps below to install the required extensions. diff --git a/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-gke.md b/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-gke.md index 8dabfafac4219..da2f5a6107ce9 100644 --- a/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-gke.md +++ b/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-gke.md @@ -41,7 +41,7 @@ To protect your GKE clusters, you'll need to enable the Containers plan on the r > [!NOTE] > If you disable this configuration, then the `Threat detection (control plane)` feature will be disabled. Learn more about [features availability](../supported-machines-endpoint-solutions-clouds-containers.md). - - **Auto provision Defender's agent for Azure Arc** and **Auto provision Azure Policy extension for Azure Arc**: Enabled by default. You can install Azure Arc-enabled Kubernetes and its extensions on your GKE clusters in three ways: + - **Auto provision Defender's sensor for Azure Arc** and **Auto provision Azure Policy extension for Azure Arc**: Enabled by default. You can install Azure Arc-enabled Kubernetes and its extensions on your GKE clusters in three ways: - Enable Defender for Containers autoprovisioning at the project level, as explained in the instructions in this section. We recommend this method. - Use Defender for Cloud recommendations for per-cluster installation. They appear on the Microsoft Defender for Cloud recommendations page. [Learn how to deploy the solution to specific clusters](../defender-for-containers-enable.md?tabs=defender-for-container-gke#deploy-the-solution-to-specific-clusters). - Manually install [Arc-enabled Kubernetes](../../azure-arc/kubernetes/quickstart-connect-cluster.md) and [extensions](../../azure-arc/kubernetes/extensions.md). @@ -61,7 +61,7 @@ The connector will update after the script executes. This process can take up to ### Deploy the solution to specific clusters -If you disabled any of the default auto provisioning configurations to Off, during the [GCP connector onboarding process](../quickstart-onboard-gcp.md#configure-the-defender-for-containers-plan), or afterwards. You'll need to manually install Azure Arc-enabled Kubernetes, the Defender agent, and the Azure Policy for Kubernetes to each of your GKE clusters to get the full security value out of Defender for Containers. +If you disabled any of the default auto provisioning configurations to Off, during the [GCP connector onboarding process](../quickstart-onboard-gcp.md#configure-the-defender-for-containers-plan), or afterwards. You'll need to manually install Azure Arc-enabled Kubernetes, the Defender sensor, and the Azure Policy for Kubernetes to each of your GKE clusters to get the full security value out of Defender for Containers. There are 2 dedicated Defender for Cloud recommendations you can use to install the extensions (and Arc if necessary): diff --git a/articles/defender-for-cloud/includes/defender-for-containers-remove-extension.md b/articles/defender-for-cloud/includes/defender-for-containers-remove-extension.md index aa2241b7c014b..1ead0b89a6b9f 100644 --- a/articles/defender-for-cloud/includes/defender-for-containers-remove-extension.md +++ b/articles/defender-for-cloud/includes/defender-for-containers-remove-extension.md @@ -5,7 +5,7 @@ ms.date: 07/14/2022 ms.author: dacurwin author: dcurwin --- -## Remove the Defender agent +## Remove the Defender sensor ::: zone pivot="defender-for-container-arc" To remove this - or any - Defender for Cloud extension, it's not enough to turn off auto provisioning: @@ -34,7 +34,7 @@ You can remove the extension using Azure portal, Azure CLI, or REST API as expla ### [**Azure CLI**](#tab/k8s-remove-cli) -### Use Azure CLI to remove the Defender agent +### Use Azure CLI to remove the Defender sensor 1. Remove the Microsoft Defender for Kubernetes Arc extension with the following commands: @@ -62,7 +62,7 @@ You can remove the extension using Azure portal, Azure CLI, or REST API as expla ### [**REST API**](#tab/k8s-remove-api) -### Use REST API to remove the Defender agent +### Use REST API to remove the Defender sensor To remove the extension using the REST API, run the following DELETE command: diff --git a/articles/defender-for-cloud/includes/defender-for-containers-remove-profile.md b/articles/defender-for-cloud/includes/defender-for-containers-remove-profile.md index 419c322077077..254e65d406148 100644 --- a/articles/defender-for-cloud/includes/defender-for-containers-remove-profile.md +++ b/articles/defender-for-cloud/includes/defender-for-containers-remove-profile.md @@ -5,7 +5,7 @@ ms.date: 06/01/2023 ms.author: dacurwin author: dcurwin --- -## Remove the Defender agent +## Remove the Defender sensor To remove this - or any - Defender for Cloud extension, it's not enough to turn off auto provisioning: @@ -21,7 +21,7 @@ You can remove the extension using the REST API or a Resource Manager template a ### [**REST API**](#tab/aks-removeprofile-api) -### Use REST API to remove the Defender agent from AKS +### Use REST API to remove the Defender sensor from AKS To remove the extension using the REST API, run the following PUT command: @@ -62,7 +62,7 @@ Request body parameters: ### [**Azure CLI**](#tab/k8s-remove-cli) -### Use Azure CLI to remove the Defender agent +### Use Azure CLI to remove the Defender sensor 1. Remove the Microsoft Defender for with the following commands: @@ -84,14 +84,14 @@ Request body parameters: ### [**Resource Manager**](#tab/aks-removeprofile-resource-manager) -### Use Azure Resource Manager to remove the Defender agent from AKS +### Use Azure Resource Manager to remove the Defender sensor from AKS -To use Azure Resource Manager to remove the Defender agent, you'll need a Log Analytics workspace on your subscription. Learn more in [Log Analytics workspaces](../../azure-monitor/logs/log-analytics-workspace-overview.md). +To use Azure Resource Manager to remove the Defender sensor, you'll need a Log Analytics workspace on your subscription. Learn more in [Log Analytics workspaces](../../azure-monitor/logs/log-analytics-workspace-overview.md). > [!TIP] > If you're new to Resource Manager templates, start here: [What are Azure Resource Manager templates?](../../azure-resource-manager/templates/overview.md) -The relevant template and parameters to remove the Defender agent from AKS are: +The relevant template and parameters to remove the Defender sensor from AKS are: ```json { diff --git a/articles/defender-for-cloud/monitoring-components.md b/articles/defender-for-cloud/monitoring-components.md index 0f3e8939f2da9..46ca16272736a 100644 --- a/articles/defender-for-cloud/monitoring-components.md +++ b/articles/defender-for-cloud/monitoring-components.md @@ -46,7 +46,7 @@ These plans use monitoring components to collect data: - Automatic SQL server discovery and registration - Defender for Containers - [Azure Arc agent](../azure-arc/servers/manage-vm-extensions.md) (For multicloud and on-premises servers) - - [Defender agent, Azure Policy for Kubernetes, Kubernetes audit log data](defender-for-containers-introduction.md) + - [Defender sensor, Azure Policy for Kubernetes, Kubernetes audit log data](defender-for-containers-introduction.md) ## Availability of extensions @@ -145,12 +145,12 @@ By default, the required extensions are enabled when you enable Defender for Con | Aspect | Azure Kubernetes Service clusters | Azure Arc-enabled Kubernetes clusters | |------------------------------------------------------|----------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------| -| Release state: | • Defender agent: GA
• Azure Policy for Kubernetes: Generally available (GA) | • Defender agent: Preview
• Azure Policy for Kubernetes: Preview | +| Release state: | • Defender sensor: GA
• Azure Policy for Kubernetes: Generally available (GA) | • Defender sensor: Preview
• Azure Policy for Kubernetes: Preview | | Relevant Defender plan: | [Microsoft Defender for Containers](defender-for-containers-introduction.md) | [Microsoft Defender for Containers](defender-for-containers-introduction.md) | | Required roles and permissions (subscription-level): | [Owner](../role-based-access-control/built-in-roles.md#owner) or [User Access Administrator](../role-based-access-control/built-in-roles.md#user-access-administrator) | [Owner](../role-based-access-control/built-in-roles.md#owner) or [User Access Administrator](../role-based-access-control/built-in-roles.md#user-access-administrator) | -| Supported destinations: | The AKS Defender agent only supports [AKS clusters that have RBAC enabled](../aks/concepts-identity.md#kubernetes-rbac). | [See Kubernetes distributions supported for Arc-enabled Kubernetes](supported-machines-endpoint-solutions-clouds-containers.md?tabs=azure-aks#kubernetes-distributions-and-configurations) | +| Supported destinations: | The AKS Defender sensor only supports [AKS clusters that have RBAC enabled](../aks/concepts-identity.md#kubernetes-rbac). | [See Kubernetes distributions supported for Arc-enabled Kubernetes](supported-machines-endpoint-solutions-clouds-containers.md?tabs=azure-aks#kubernetes-distributions-and-configurations) | | Policy-based: | :::image type="icon" source="./media/icons/yes-icon.png"::: Yes | :::image type="icon" source="./media/icons/yes-icon.png"::: Yes | -| Clouds: | **Defender agent**:
:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds
:::image type="icon" source="./media/icons/no-icon.png"::: Azure Government, Microsoft Azure operated by 21Vianet
**Azure Policy for Kubernetes**:
:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds
:::image type="icon" source="./media/icons/yes-icon.png"::: Azure Government, Microsoft Azure operated by 21Vianet|**Defender agent**:
:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds
:::image type="icon" source="./media/icons/no-icon.png"::: Azure Government, Microsoft Azure operated by 21Vianet
**Azure Policy for Kubernetes**:
:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds
:::image type="icon" source="./media/icons/no-icon.png"::: Azure Government, Microsoft Azure operated by 21Vianet| +| Clouds: | **Defender sensor**:
:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds
:::image type="icon" source="./media/icons/no-icon.png"::: Azure Government, Microsoft Azure operated by 21Vianet
**Azure Policy for Kubernetes**:
:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds
:::image type="icon" source="./media/icons/yes-icon.png"::: Azure Government, Microsoft Azure operated by 21Vianet|**Defender sensor**:
:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds
:::image type="icon" source="./media/icons/no-icon.png"::: Azure Government, Microsoft Azure operated by 21Vianet
**Azure Policy for Kubernetes**:
:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds
:::image type="icon" source="./media/icons/no-icon.png"::: Azure Government, Microsoft Azure operated by 21Vianet| Learn more about the [roles used to provision Defender for Containers extensions](permissions.md#roles-used-to-automatically-provision-agents-and-extensions). diff --git a/articles/defender-for-cloud/plan-multicloud-security-determine-data-residency-requirements.md b/articles/defender-for-cloud/plan-multicloud-security-determine-data-residency-requirements.md index 5bdc8338eef02..4259eeb1c1f3d 100644 --- a/articles/defender-for-cloud/plan-multicloud-security-determine-data-residency-requirements.md +++ b/articles/defender-for-cloud/plan-multicloud-security-determine-data-residency-requirements.md @@ -52,12 +52,12 @@ Agents are used in the Defender for Servers plan as follows: - **Google Kubernetes Engine (GKE) in a connected GCP project** - Google’s managed environment for deploying, managing, and scaling applications using GCP infrastructure. - **Other Kubernetes distributions** - using [Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md), which allows you to attach and configure Kubernetes clusters running anywhere, including other public clouds and on-premises. -Defender for Containers has both agent-based and agentless components. +Defender for Containers has both sensor-based and agentless components. - **Agentless collection of Kubernetes audit log data**: [Amazon CloudWatch](https://aws.amazon.com/cloudwatch/) or GCP Cloud Logging enables and collects audit log data, and sends the collected information to Defender for Cloud for further analysis. Data storage is based on the EKS cluster AWS region, in accordance with GDPR - EU and US. - **Agentless collection for Kubernetes inventory**: Collect data on your Kubernetes clusters and their resources, such as: Namespaces, Deployments, Pods, and Ingresses. -- **Agent-based Azure Arc-enabled Kubernetes**: Connects your EKS and GKE clusters to Azure using [Azure Arc agents](../azure-arc/kubernetes/conceptual-agent-overview.md), so that they’re treated as Azure Arc resources. -- **[Defender agent](defender-for-cloud-glossary.md#defender-agent)**: A DaemonSet that collects signals from hosts using eBPF technology, and provides runtime protection. The extension is registered with a Log Analytics workspace and used as a data pipeline. The audit log data isn't stored in the Log Analytics workspace. +- **Sensor-based Azure Arc-enabled Kubernetes**: Connects your EKS and GKE clusters to Azure using [Azure Arc agents](../azure-arc/kubernetes/conceptual-agent-overview.md), so that they’re treated as Azure Arc resources. +- **[Defender sensor](defender-for-cloud-glossary.md#defender-sensor)**: A DaemonSet that collects signals from hosts using eBPF technology, and provides runtime protection. The extension is registered with a Log Analytics workspace and used as a data pipeline. The audit log data isn't stored in the Log Analytics workspace. - **Azure Policy for Kubernetes**: configuration information is collected by Azure Policy for Kubernetes. - Azure Policy for Kubernetes extends the open-source Gatekeeper v3 admission controller webhook for Open Policy Agent. - The extension registers as a web hook to Kubernetes admission control and makes it possible to apply at-scale enforcement, safeguarding your clusters in a centralized, consistent manner. diff --git a/articles/defender-for-cloud/plan-multicloud-security-determine-multicloud-dependencies.md b/articles/defender-for-cloud/plan-multicloud-security-determine-multicloud-dependencies.md index a6c04628143cd..170c2b82d7837 100644 --- a/articles/defender-for-cloud/plan-multicloud-security-determine-multicloud-dependencies.md +++ b/articles/defender-for-cloud/plan-multicloud-security-determine-multicloud-dependencies.md @@ -50,7 +50,7 @@ The following table summarizes extension requirements for CWPP. |Vulnerability assessment| ✔| || |Agentless Disk Scanning| ✔ | ✔ || |Log Analytics or Azure Monitor Agent (preview) extension|✔| |✔| -|Defender agent| | ✔| | +|Defender sensor| | ✔| | |Azure Policy for Kubernetes | | ✔| | |Kubernetes audit log data | | ✔| | |SQL servers on machines | | | ✔| @@ -98,14 +98,14 @@ Enabling Defender for Containers provides GKE and EKS clusters and underlying ho The required [components](./defender-for-containers-introduction.md) are as follows: -- **Azure Arc Agent**: Connects your GKE and EKS clusters to Azure, and onboards the Defender agent. -- **[Defender agent](defender-for-cloud-glossary.md#defender-agent)**: Provides host-level runtime threat protection. +- **Azure Arc Agent**: Connects your GKE and EKS clusters to Azure, and onboards the Defender sensor. +- **[Defender sensor](defender-for-cloud-glossary.md#defender-sensor)**: Provides host-level runtime threat protection. - **Azure Policy for Kubernetes**: Extends the Gatekeeper v3 to monitor every request to the Kubernetes API server, and ensures that security best practices are being followed on clusters and workloads. - **Kubernetes audit logs**: Audit logs from the API server allow Defender for Containers to identify suspicious activity within your multicloud servers, and provide deeper insights while investigating alerts. Sending of the “Kubernetes audit logs” needs to be enabled on the connector level. #### Check networking requirements - Defender for Containers -Make sure to check that your clusters meet network requirements so that the Defender agent can connect with Defender for Cloud. +Make sure to check that your clusters meet network requirements so that the Defender sensor can connect with Defender for Cloud. ### Defender for SQL diff --git a/articles/defender-for-cloud/quickstart-onboard-aws.md b/articles/defender-for-cloud/quickstart-onboard-aws.md index 024103377a5cc..bae1febeb3f48 100644 --- a/articles/defender-for-cloud/quickstart-onboard-aws.md +++ b/articles/defender-for-cloud/quickstart-onboard-aws.md @@ -191,7 +191,7 @@ In this section of the wizard, you select the Defender for Cloud plans that you 1. By default, the **Containers** plan is set to **On**. This setting is necessary to have Defender for Containers protect your AWS EKS clusters. Ensure that you fulfilled the [network requirements](./defender-for-containers-enable.md?pivots=defender-for-container-eks&source=docs&tabs=aks-deploy-portal%2ck8s-deploy-asc%2ck8s-verify-asc%2ck8s-remove-arc%2caks-removeprofile-api#network-requirements) for the Defender for Containers plan. > [!NOTE] - > Azure Arc-enabled Kubernetes, the Azure Arc extensions for Defender agent, and Azure Policy for Kubernetes should be installed. Use the dedicated Defender for Cloud recommendations to deploy the extensions (and Azure Arc, if necessary), as explained in [Protect Amazon Elastic Kubernetes Service clusters](defender-for-containers-enable.md?tabs=defender-for-container-eks). + > Azure Arc-enabled Kubernetes, the Azure Arc extensions for Defender sensor, and Azure Policy for Kubernetes should be installed. Use the dedicated Defender for Cloud recommendations to deploy the extensions (and Azure Arc, if necessary), as explained in [Protect Amazon Elastic Kubernetes Service clusters](defender-for-containers-enable.md?tabs=defender-for-container-eks). Optionally, select **Configure** to edit the configuration as required. If you choose to turn off this configuration, the **Threat detection (control plane)** feature is also disabled. [Learn more about feature availability](supported-machines-endpoint-solutions-clouds-containers.md). diff --git a/articles/defender-for-cloud/quickstart-onboard-gcp.md b/articles/defender-for-cloud/quickstart-onboard-gcp.md index 8a3f73ec13fdc..baa1545e439cb 100644 --- a/articles/defender-for-cloud/quickstart-onboard-gcp.md +++ b/articles/defender-for-cloud/quickstart-onboard-gcp.md @@ -262,7 +262,7 @@ Microsoft Defender for Containers brings threat detection and advanced defenses > [!NOTE] > If you disable this configuration, then the `Threat detection (control plane)` feature will be disabled. Learn more about [features availability](supported-machines-endpoint-solutions-clouds-containers.md). -- **Auto provision Defender's agent for Azure Arc** and **Auto provision Azure Policy extension for Azure Arc**: Enabled by default. You can install Azure Arc-enabled Kubernetes and its extensions on your GKE clusters in three ways: +- **Auto provision Defender's sensor for Azure Arc** and **Auto provision Azure Policy extension for Azure Arc**: Enabled by default. You can install Azure Arc-enabled Kubernetes and its extensions on your GKE clusters in three ways: - Enable Defender for Containers autoprovisioning at the project level, as explained in the instructions in this section. We recommend this method. - Use Defender for Cloud recommendations for per-cluster installation. They appear on the Microsoft Defender for Cloud recommendations page. [Learn how to deploy the solution to specific clusters](defender-for-containers-enable.md?tabs=defender-for-container-gke#deploy-the-solution-to-specific-clusters). - Manually install [Arc-enabled Kubernetes](../azure-arc/kubernetes/quickstart-connect-cluster.md) and [extensions](../azure-arc/kubernetes/extensions.md). diff --git a/articles/defender-for-cloud/release-notes-archive.md b/articles/defender-for-cloud/release-notes-archive.md index fabb9f5e0b368..10d4683174362 100644 --- a/articles/defender-for-cloud/release-notes-archive.md +++ b/articles/defender-for-cloud/release-notes-archive.md @@ -1169,7 +1169,7 @@ The new security agent is a Kubernetes DaemonSet, based on eBPF technology and i The security agent enablement is available through autoprovisioning, recommendations flow, AKS RP or at scale using Azure Policy. -You can [deploy the Defender agent](./defender-for-containers-enable.md?pivots=defender-for-container-aks&tabs=aks-deploy-portal%2ck8s-deploy-asc%2ck8s-verify-asc%2ck8s-remove-arc%2caks-removeprofile-api#deploy-the-defender-agent) today on your AKS clusters. +You can [deploy the Defender agent](./defender-for-containers-enable.md?pivots=defender-for-container-aks&tabs=aks-deploy-portal%2ck8s-deploy-asc%2ck8s-verify-asc%2ck8s-remove-arc%2caks-removeprofile-api#deploy-the-defender-sensor) today on your AKS clusters. With this announcement, the runtime protection - threat detection (workload) is now also generally available. @@ -1333,7 +1333,7 @@ Updates in May include: - [Multicloud settings of Servers plan are now available in connector level](#multicloud-settings-of-servers-plan-are-now-available-in-connector-level) - [JIT (Just-in-time) access for VMs is now available for AWS EC2 instances (Preview)](#jit-just-in-time-access-for-vms-is-now-available-for-aws-ec2-instances-preview) -- [Add and remove the Defender agent for AKS clusters using the CLI](#add-and-remove-the-defender-agent-for-aks-clusters-using-the-cli) +- [Add and remove the Defender sensor for AKS clusters using the CLI](#add-and-remove-the-defender-sensor-for-aks-clusters-using-the-cli) ### Multicloud settings of Servers plan are now available in connector level @@ -1365,9 +1365,9 @@ When you [connect AWS accounts](quickstart-onboard-aws.md), JIT will automatical Learn how [JIT protects your AWS EC2 instances](just-in-time-access-overview.md#how-jit-operates-with-network-resources-in-azure-and-aws) -### Add and remove the Defender agent for AKS clusters using the CLI +### Add and remove the Defender sensor for AKS clusters using the CLI -The [Defender agent](defender-for-cloud-glossary.md#defender-agent) is required for Defender for Containers to provide the runtime protections and collects signals from nodes. You can now use the Azure CLI to [add and remove the Defender agent](defender-for-containers-enable.md?tabs=k8s-deploy-cli%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Ck8s-remove-cli&pivots=defender-for-container-aks#use-azure-cli-to-deploy-the-defender-agent) for an AKS cluster. +The [Defender agent](defender-for-cloud-glossary.md#defender-sensor) is required for Defender for Containers to provide the runtime protections and collects signals from nodes. You can now use the Azure CLI to [add and remove the Defender agent](defender-for-containers-enable.md?tabs=k8s-deploy-cli%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Ck8s-remove-cli&pivots=defender-for-container-aks#use-azure-cli-to-deploy-the-defender-sensor) for an AKS cluster. > [!NOTE] > This option is included in [Azure CLI 3.7 and above](/cli/azure/update-azure-cli). diff --git a/articles/defender-for-cloud/release-notes.md b/articles/defender-for-cloud/release-notes.md index 587c320d912a7..135138c7f7e96 100644 --- a/articles/defender-for-cloud/release-notes.md +++ b/articles/defender-for-cloud/release-notes.md @@ -156,7 +156,7 @@ The Defender for Cloud Containers Vulnerability Assessment powered by Qualys is |----------|----------| | February 28 | [Updated security policy management expands support to AWS and GCP](#updated-security-policy-management-expands-support-to-aws-and-gcp) | | February 26 | [Cloud support for Defender for Containers](#cloud-support-for-defender-for-containers) | -| February 20 | [New version of Defender Agent for Defender for Containers](#new-version-of-defender-agent-for-defender-for-containers) | +| February 20 | [New version of Defender sensor for Defender for Containers](#new-version-of-defender-sensor-for-defender-for-containers) | | February 18| [Open Container Initiative (OCI) image format specification support](#open-container-initiative-oci-image-format-specification-support) | | February 13 | [AWS container vulnerability assessment powered by Trivy retired](#aws-container-vulnerability-assessment-powered-by-trivy-retired) | | February 8 | [Recommendations released for preview: four recommendations for Azure Stack HCI resource type](#recommendations-released-for-preview-four-recommendations-for-azure-stack-hci-resource-type) | @@ -177,11 +177,11 @@ February 26, 2024 Azure Kubernetes Service (AKS) threat detection features in Defender for Containers are now fully supported in commercial, Azure Government, and Azure China 21Vianet clouds. [Review](support-matrix-defender-for-containers.md#azure) supported features. -### New version of Defender Agent for Defender for Containers +### New version of Defender sensor for Defender for Containers February 20, 2024 -[A new version](../aks/supported-kubernetes-versions.md#aks-kubernetes-release-calendar) of the [Defender Agent for Defender for Containers](tutorial-enable-containers-azure.md#deploy-the-defender-agent-in-azure) is available. It includes performance and security improvements, support for both AMD64 and ARM64 arch nodes (Linux only), and uses [Inspektor Gadget](https://www.inspektor-gadget.io/) as the process collection agent instead of Sysdig. The new version is only supported on Linux kernel versions 5.4 and higher, so if you have older versions of the Linux kernel, you need to upgrade. Support for ARM 64 is only available from AKS V1.29 and above. For more information, see [Supported host operating systems](support-matrix-defender-for-containers.md#supported-host-operating-systems). +[A new version](../aks/supported-kubernetes-versions.md#aks-kubernetes-release-calendar) of the [Defender sensor for Defender for Containers](tutorial-enable-containers-azure.md#deploy-the-defender-sensor-in-azure) is available. It includes performance and security improvements, support for both AMD64 and ARM64 arch nodes (Linux only), and uses [Inspektor Gadget](https://www.inspektor-gadget.io/) as the process collection agent instead of Sysdig. The new version is only supported on Linux kernel versions 5.4 and higher, so if you have older versions of the Linux kernel, you need to upgrade. Support for ARM 64 is only available from AKS V1.29 and above. For more information, see [Supported host operating systems](support-matrix-defender-for-containers.md#supported-host-operating-systems). ### Open Container Initiative (OCI) image format specification support diff --git a/articles/defender-for-cloud/support-matrix-defender-for-containers.md b/articles/defender-for-cloud/support-matrix-defender-for-containers.md index 52f095d5ca688..01017f64fd2a4 100644 --- a/articles/defender-for-cloud/support-matrix-defender-for-containers.md +++ b/articles/defender-for-cloud/support-matrix-defender-for-containers.md @@ -29,7 +29,7 @@ Following are the features for each of the domains in Defender for Containers: ### Security posture management -| Feature | Description | Supported resources | Linux release state | Windows release state | Enablement method | Agent | Plans | Azure clouds availability | +| Feature | Description | Supported resources | Linux release state | Windows release state | Enablement method | Sensor | Plans | Azure clouds availability | |--|--|--|--|--|--|--|--|--| | [Agentless discovery for Kubernetes](defender-for-containers-introduction.md#security-posture-management) | Provides zero footprint, API-based discovery of Kubernetes clusters, their configurations and deployments. | AKS | GA | GA | Enable **Agentless discovery on Kubernetes** toggle | Agentless | Defender for Containers **OR** Defender CSPM | Azure commercial clouds | | Comprehensive inventory capabilities | Enables you to explore resources, pods, services, repositories, images, and configurations through [security explorer](how-to-manage-cloud-security-explorer.md#build-a-query-with-the-cloud-security-explorer) to easily monitor and manage your assets. | ACR, AKS | GA | GA | Enable **Agentless discovery on Kubernetes** toggle | Agentless| Defender for Containers **OR** Defender CSPM | Azure commercial clouds | @@ -41,25 +41,25 @@ Following are the features for each of the domains in Defender for Containers: ### Vulnerability assessment -| Feature | Description | Supported resources | Linux release state | Windows release state | Enablement method | Agent | Plans | Azure clouds availability | +| Feature | Description | Supported resources | Linux release state | Windows release state | Enablement method | Sensor | Plans | Azure clouds availability | |--|--|--|--|--|--|--|--|--| | Agentless registry scan (powered by Microsoft Defender Vulnerability Management) [supported packages](#registries-and-images-support-for-azure---vulnerability-assessment-powered-by-microsoft-defender-vulnerability-management)| Vulnerability assessment for images in ACR | ACR, Private ACR | GA | Preview | Enable **Agentless container vulnerability assessment** toggle | Agentless | Defender for Containers or Defender CSPM | Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet | -| Agentless/agent-based runtime (powered by Microsoft Defender Vulnerability Management) [supported packages](#registries-and-images-support-for-azure---vulnerability-assessment-powered-by-microsoft-defender-vulnerability-management)| Vulnerability assessment for running images in AKS | AKS | GA | Preview | Enable **Agentless container vulnerability assessment** toggle | Agentless (Requires Agentless discovery for Kubernetes) **OR/AND** Defender agent | Defender for Containers or Defender CSPM | Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet | +| Agentless/agent-based runtime (powered by Microsoft Defender Vulnerability Management) [supported packages](#registries-and-images-support-for-azure---vulnerability-assessment-powered-by-microsoft-defender-vulnerability-management)| Vulnerability assessment for running images in AKS | AKS | GA | Preview | Enable **Agentless container vulnerability assessment** toggle | Agentless (Requires Agentless discovery for Kubernetes) **OR/AND** Defender sensor | Defender for Containers or Defender CSPM | Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet | ### Runtime threat protection -| Feature | Description | Supported resources | Linux release state | Windows release state | Enablement method | Agent | Plans | Azure clouds availability | +| Feature | Description | Supported resources | Linux release state | Windows release state | Enablement method | Sensor | Plans | Azure clouds availability | |--|--|--|--|--|--|--|--|--| | [Control plane](defender-for-containers-introduction.md#run-time-protection-for-kubernetes-nodes-and-clusters) | Detection of suspicious activity for Kubernetes based on Kubernetes audit trail | AKS | GA | GA | Enabled with plan | Agentless | Defender for Containers | Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet | -| Workload | Detection of suspicious activity for Kubernetes for cluster level, node level, and workload level | AKS | GA | - | Enable **Defender Agent in Azure** toggle **OR** deploy Defender agent on individual clusters | Defender agent | Defender for Containers | Commercial clouds

National clouds: Azure Government, Azure China 21Vianet | +| Workload | Detection of suspicious activity for Kubernetes for cluster level, node level, and workload level | AKS | GA | - | Enable **Defender Sensor in Azure** toggle **OR** deploy Defender sensors on individual clusters | Defender sensor | Defender for Containers | Commercial clouds

National clouds: Azure Government, Azure China 21Vianet | ### Deployment & monitoring -| Feature | Description | Supported resources | Linux release state | Windows release state | Enablement method | Agent | Plans | Azure clouds availability | +| Feature | Description | Supported resources | Linux release state | Windows release state | Enablement method | Sensor | Plans | Azure clouds availability | |--|--|--|--|--|--|--|--|--| -| Discovery of unprotected clusters | Discovering Kubernetes clusters missing Defender agents | AKS | GA | GA | Enabled with plan | Agentless | Free | Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet | -| Defender agent auto provisioning | Automatic deployment of Defender agent | AKS | GA | - | Enable **Defender Agent in Azure** toggle | Agentless | Defender for Containers | Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet | -| Azure Policy for Kubernetes auto provisioning | Automatic deployment of Azure policy agent for Kubernetes | AKS | GA | - | Enable **Azure policy for Kubernetes** toggle | Agentless | Free | Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet | +| Discovery of unprotected clusters | Discovering Kubernetes clusters missing Defender sensors | AKS | GA | GA | Enabled with plan | Agentless | Free | Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet | +| Defender sensor auto provisioning | Automatic deployment of Defender sensor | AKS | GA | - | Enable **Defender Sensor in Azure** toggle | Agentless | Defender for Containers | Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet | +| Azure Policy for Kubernetes auto provisioning | Automatic deployment of Azure policy sensor for Kubernetes | AKS | GA | - | Enable **Azure policy for Kubernetes** toggle | Agentless | Free | Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet | ### Registries and images support for Azure - Vulnerability assessment powered by Microsoft Defender Vulnerability Management @@ -84,7 +84,7 @@ Following are the features for each of the domains in Defender for Containers: ### Private link restrictions -Defender for Containers relies on the [Defender agent](defender-for-cloud-glossary.md#defender-agent) for several features. The Defender agent doesn't support the ability to ingest data through Private Link. You can disable public access for ingestion, so that only machines that are configured to send traffic through Azure Monitor Private Link can send data to that workstation. You can configure a private link by navigating to **`your workspace`** > **Network Isolation** and setting the Virtual networks access configurations to **No**. +Defender for Containers relies on the [Defender sensor](defender-for-cloud-glossary.md#defender-sensor) for several features. The Defender sensor doesn't support the ability to ingest data through Private Link. You can disable public access for ingestion, so that only machines that are configured to send traffic through Azure Monitor Private Link can send data to that workstation. You can configure a private link by navigating to **`your workspace`** > **Network Isolation** and setting the Virtual networks access configurations to **No**. :::image type="content" source="media/supported-machines-endpoint-solutions-cloud-containers/network-access.png" alt-text="Screenshot that shows where to go to turn off data ingestion."::: @@ -94,7 +94,7 @@ Learn how to [use Azure Private Link to connect networks to Azure Monitor](../az ## AWS -| Domain | Feature | Supported Resources | Linux release state | Windows release state | Agentless/Agent-based | Pricing tier | +| Domain | Feature | Supported Resources | Linux release state | Windows release state | Agentless/Sensor-based | Pricing tier | |--|--| -- | -- | -- | -- | --| | Security posture management | [Agentless discovery for Kubernetes](defender-for-containers-introduction.md#security-posture-management) | EKS | Preview | Preview | Agentless | Defender for Containers **OR** Defender CSPM | | Security posture management | Comprehensive inventory capabilities | ECR, EKS | Preview | Preview | Agentless| Defender for Containers **OR** Defender CSPM | @@ -104,11 +104,11 @@ Learn how to [use Azure Private Link to connect networks to Azure Monitor](../az | Security posture management | Control plane hardening | - | - | - | - | - | | Security posture management | Kubernetes data plane hardening | EKS | GA| - | Azure Policy for Kubernetes | Defender for Containers | | [Vulnerability assessment](agentless-vulnerability-assessment-aws.md) | Agentless registry scan (powered by Microsoft Defender Vulnerability Management) [supported packages](#registries-and-images-support-for-aws---vulnerability-assessment-powered-by-microsoft-defender-vulnerability-management)| ECR | Preview | Preview | Agentless | Defender for Containers or Defender CSPM | -| [Vulnerability assessment](agentless-vulnerability-assessment-aws.md) | Agentless/agent-based runtime (powered by Microsoft Defender Vulnerability Management) [supported packages](#registries-and-images-support-for-aws---vulnerability-assessment-powered-by-microsoft-defender-vulnerability-management)| EKS | Preview | Preview | Agentless **OR/AND** Defender agent | Defender for Containers or Defender CSPM | +| [Vulnerability assessment](agentless-vulnerability-assessment-aws.md) | Agentless/sensor-based runtime (powered by Microsoft Defender Vulnerability Management) [supported packages](#registries-and-images-support-for-aws---vulnerability-assessment-powered-by-microsoft-defender-vulnerability-management)| EKS | Preview | Preview | Agentless **OR/AND** Defender sensor | Defender for Containers or Defender CSPM | | Runtime protection| Control plane | EKS | Preview | Preview | Agentless | Defender for Containers | -| Runtime protection| Workload | EKS | Preview | - | Defender agent | Defender for Containers | +| Runtime protection| Workload | EKS | Preview | - | Defender sensor | Defender for Containers | | Deployment & monitoring | Discovery of unprotected clusters | EKS | Preview | - | Agentless | Free | -| Deployment & monitoring | Auto provisioning of Defender agent | - | - | - | - | - | +| Deployment & monitoring | Auto provisioning of Defender sensor | - | - | - | - | - | | Deployment & monitoring | Auto provisioning of Azure Policy for Kubernetes | - | - | - | - | - | ### Registries and images support for AWS - Vulnerability assessment powered by Microsoft Defender Vulnerability Management @@ -138,7 +138,7 @@ Outbound proxy without authentication and outbound proxy with basic authenticati ## GCP -| Domain | Feature | Supported Resources | Linux release state | Windows release state | Agentless/Agent-based | Pricing tier | +| Domain | Feature | Supported Resources | Linux release state | Windows release state | Agentless/Sensor-based | Pricing tier | |--|--| -- | -- | -- | -- | --| | Security posture management | [Agentless discovery for Kubernetes](defender-for-containers-introduction.md#security-posture-management) | GKE | Preview | Preview | Agentless | Defender for Containers **OR** Defender CSPM | | Security posture management | Comprehensive inventory capabilities | GAR, GCR, GKE | Preview | Preview | Agentless| Defender for Containers **OR** Defender CSPM | @@ -148,11 +148,11 @@ Outbound proxy without authentication and outbound proxy with basic authenticati | Security posture management | Control plane hardening | GKE | GA | GA | Agentless | Free | | Security posture management | Kubernetes data plane hardening | GKE | GA| - | Azure Policy for Kubernetes | Defender for Containers | | [Vulnerability assessment](agentless-vulnerability-assessment-gcp.md) | Agentless registry scan (powered by Microsoft Defender Vulnerability Management) [supported packages](#registries-and-images-support-for-gcp---vulnerability-assessment-powered-by-microsoft-defender-vulnerability-management)| GAR, GCR | Preview | Preview | Agentless | Defender for Containers or Defender CSPM | -| [Vulnerability assessment](agentless-vulnerability-assessment-gcp.md) | Agentless/agent-based runtime (powered by Microsoft Defender Vulnerability Management) [supported packages](#registries-and-images-support-for-gcp---vulnerability-assessment-powered-by-microsoft-defender-vulnerability-management)| GKE | Preview | Preview | Agentless **OR/AND** Defender agent | Defender for Containers or Defender CSPM | +| [Vulnerability assessment](agentless-vulnerability-assessment-gcp.md) | Agentless/sensor-based runtime (powered by Microsoft Defender Vulnerability Management) [supported packages](#registries-and-images-support-for-gcp---vulnerability-assessment-powered-by-microsoft-defender-vulnerability-management)| GKE | Preview | Preview | Agentless **OR/AND** Defender sensor | Defender for Containers or Defender CSPM | | Runtime protection| Control plane | GKE | Preview | Preview | Agentless | Defender for Containers | -| Runtime protection| Workload | GKE | Preview | - | Defender agent | Defender for Containers | +| Runtime protection| Workload | GKE | Preview | - | Defender sensor | Defender for Containers | | Deployment & monitoring | Discovery of unprotected clusters | GKE | Preview | - | Agentless | Free | -| Deployment & monitoring | Auto provisioning of Defender agent | GKE | Preview | - | Agentless | Defender for Containers | +| Deployment & monitoring | Auto provisioning of Defender sensor | GKE | Preview | - | Agentless | Defender for Containers | | Deployment & monitoring | Auto provisioning of Azure Policy for Kubernetes | GKE | Preview | - | Agentless | Defender for Containers | ### Registries and images support for GCP - Vulnerability assessment powered by Microsoft Defender Vulnerability Management @@ -182,15 +182,15 @@ Outbound proxy without authentication and outbound proxy with basic authenticati ## On-premises, Arc-enabled Kubernetes clusters -| Domain | Feature | Supported Resources | Linux release state | Windows release state | Agentless/Agent-based | Pricing tier | +| Domain | Feature | Supported Resources | Linux release state | Windows release state | Agentless/Sensor-based | Pricing tier | |--|--| -- | -- | -- | -- | --| | Security posture management | Docker CIS | Arc enabled VMs | Preview | - | Log Analytics agent | Defender for Servers Plan 2 | | Security posture management | Control plane hardening | - | - | - | - | - | | Security posture management | Kubernetes data plane hardening | Arc enabled K8s clusters | GA| - | Azure Policy for Kubernetes | Defender for Containers | -| Runtime protection| Threat protection (control plane)| Arc enabled K8s clusters | Preview | Preview | Defender agent | Defender for Containers | -| Runtime protection | Threat protection (workload)| Arc enabled K8s clusters | Preview | - | Defender agent | Defender for Containers | +| Runtime protection| Threat protection (control plane)| Arc enabled K8s clusters | Preview | Preview | Defender sensor | Defender for Containers | +| Runtime protection | Threat protection (workload)| Arc enabled K8s clusters | Preview | - | Defender sensor | Defender for Containers | | Deployment & monitoring | Discovery of unprotected clusters | Arc enabled K8s clusters | Preview | - | Agentless | Free | -| Deployment & monitoring | Auto provisioning of Defender agent | Arc enabled K8s clusters | Preview | Preview | Agentless | Defender for Containers | +| Deployment & monitoring | Auto provisioning of Defender sensor | Arc enabled K8s clusters | Preview | Preview | Agentless | Defender for Containers | | Deployment & monitoring | Auto provisioning of Azure Policy for Kubernetes | Arc enabled K8s clusters | Preview | - | Agentless | Defender for Containers | ### Kubernetes distributions and configurations @@ -208,7 +208,7 @@ Outbound proxy without authentication and outbound proxy with basic authenticati ### Supported host operating systems -Defender for Containers relies on the **Defender agent** for several features. The Defender agent is supported on the following host operating systems: +Defender for Containers relies on the **Defender sensor** for several features. The Defender sensor is supported on the following host operating systems: - Amazon Linux 2 - CentOS 8 @@ -225,15 +225,15 @@ Defender for Containers relies on the **Defender agent** for several features. T Ensure your Kubernetes node is running on one of the verified supported operating systems. Clusters with different host operating systems, only get partial coverage. -### Defender agent limitations +### Defender sensor limitations -The Defender agent in AKS V1.28 and below is not supported on ARM64 nodes. +The Defender sensor in AKS V1.28 and below is not supported on ARM64 nodes. ### Network restrictions #### Private link -Defender for Containers relies on the Defender agent for several features. The Defender agent doesn't support the ability to ingest data through Private Link. You can disable public access for ingestion, so that only machines that are configured to send traffic through Azure Monitor Private Link can send data to that workstation. You can configure a private link by navigating to **`your workspace`** > **Network Isolation** and setting the Virtual networks access configurations to **No**. +Defender for Containers relies on the Defender sensor for several features. The Defender sensor doesn't support the ability to ingest data through Private Link. You can disable public access for ingestion, so that only machines that are configured to send traffic through Azure Monitor Private Link can send data to that workstation. You can configure a private link by navigating to **`your workspace`** > **Network Isolation** and setting the Virtual networks access configurations to **No**. :::image type="content" source="media/supported-machines-endpoint-solutions-cloud-containers/network-access.png" alt-text="Screenshot that shows where to go to turn off data ingestion."::: diff --git a/articles/defender-for-cloud/troubleshooting-guide.md b/articles/defender-for-cloud/troubleshooting-guide.md index 188278c3e755f..5f9d6736e8f08 100644 --- a/articles/defender-for-cloud/troubleshooting-guide.md +++ b/articles/defender-for-cloud/troubleshooting-guide.md @@ -37,7 +37,7 @@ Defender for Cloud uses connectors to collect monitoring data from Amazon Web Se - Standards should be assigned on the security connector. To check, go to **Environment settings** on the Defender for Cloud left menu, select the connector, and then select **Settings**. If no standards are assigned, select the three dots to check if you have permissions to assign standards. - A connector resource should be present in Azure Resource Graph. Use the following Resource Graph query to check: `resources | where ['type'] =~ "microsoft.security/securityconnectors"`. - Make sure that sending Kubernetes audit logs is enabled on the AWS or GCP connector so that you can get [threat detection alerts for the control plane](alerts-reference.md#alerts-for-containers---kubernetes-clusters). -- Make sure that the Microsoft Defender agent and the Azure Policy for Azure Arc-enabled Kubernetes extensions were installed successfully to your Amazon Elastic Kubernetes Service (EKS) and Google Kubernetes Engine (GKE) clusters. You can verify and install the agent with the following Defender for Cloud recommendations: +- Make sure that the Microsoft Defender sensor and the Azure Policy for Azure Arc-enabled Kubernetes extensions were installed successfully to your Amazon Elastic Kubernetes Service (EKS) and Google Kubernetes Engine (GKE) clusters. You can verify and install the agent with the following Defender for Cloud recommendations: - **EKS clusters should have Microsoft Defender's extension for Azure Arc installed** - **GKE clusters should have Microsoft Defender's extension for Azure Arc installed** - **Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed** diff --git a/articles/defender-for-cloud/tutorial-enable-container-aws.md b/articles/defender-for-cloud/tutorial-enable-container-aws.md index a08bc4c68c5bd..ab8620d677dc0 100644 --- a/articles/defender-for-cloud/tutorial-enable-container-aws.md +++ b/articles/defender-for-cloud/tutorial-enable-container-aws.md @@ -64,9 +64,9 @@ To protect your EKS clusters, you need to enable the Containers plan on the rele > [!NOTE] > To enable or disable individual Defender for Containers capabilities, either globally or for specific resources, see [How to enable Microsoft Defender for Containers components](defender-for-containers-enable.md). -## Deploy the Defender agent in EKS clusters +## Deploy the Defender sensor in EKS clusters -Azure Arc-enabled Kubernetes, the Defender agent, and Azure Policy for Kubernetes should be installed and running on your EKS clusters. There's a dedicated Defender for Cloud recommendation that can be used to install these extensions (and Azure Arc if necessary): +Azure Arc-enabled Kubernetes, the Defender sensor, and Azure Policy for Kubernetes should be installed and running on your EKS clusters. There's a dedicated Defender for Cloud recommendation that can be used to install these extensions (and Azure Arc if necessary): - `EKS clusters should have Microsoft Defender's extension for Azure Arc installed` diff --git a/articles/defender-for-cloud/tutorial-enable-container-gcp.md b/articles/defender-for-cloud/tutorial-enable-container-gcp.md index afeaf16acdc28..278294fbe2fc6 100644 --- a/articles/defender-for-cloud/tutorial-enable-container-gcp.md +++ b/articles/defender-for-cloud/tutorial-enable-container-gcp.md @@ -54,7 +54,7 @@ You can learn more about Defender for Container's pricing on the [pricing page]( > [!NOTE] > If you disable this configuration, then the `Threat detection (control plane)` feature will be disabled. Learn more about [features availability](supported-machines-endpoint-solutions-clouds-containers.md). - - **Auto provision Defender's agent for Azure Arc** and **Auto provision Azure Policy extension for Azure Arc**: Enabled by default. You can install Azure Arc-enabled Kubernetes and its extensions on your GKE clusters in three ways: + - **Auto provision Defender's sensor for Azure Arc** and **Auto provision Azure Policy extension for Azure Arc**: Enabled by default. You can install Azure Arc-enabled Kubernetes and its extensions on your GKE clusters in three ways: - Enable Defender for Containers autoprovisioning at the project level, as explained in the instructions in this section. We recommend this method. - Use Defender for Cloud recommendations for per-cluster installation. They appear on the Microsoft Defender for Cloud recommendations page. [Learn how to deploy the solution to specific clusters](defender-for-containers-enable.md?tabs=defender-for-container-gke#deploy-the-solution-to-specific-clusters). - Manually install [Arc-enabled Kubernetes](../azure-arc/kubernetes/quickstart-connect-cluster.md) and [extensions](../azure-arc/kubernetes/extensions.md). @@ -78,7 +78,7 @@ You can learn more about Defender for Container's pricing on the [pricing page]( ## Deploy the solution to specific clusters -If you disabled any of the default auto provisioning configurations to Off, during the [GCP connector onboarding process](quickstart-onboard-gcp.md#configure-the-defender-for-containers-plan), or afterwards. You need to manually install Azure Arc-enabled Kubernetes, the Defender agent, and Azure Policy for Kubernetes to each of your GKE clusters to get the full security value out of Defender for Containers. +If you disabled any of the default auto provisioning configurations to Off, during the [GCP connector onboarding process](quickstart-onboard-gcp.md#configure-the-defender-for-containers-plan), or afterwards. You need to manually install Azure Arc-enabled Kubernetes, the Defender sensor, and Azure Policy for Kubernetes to each of your GKE clusters to get the full security value out of Defender for Containers. There are two dedicated Defender for Cloud recommendations you can use to install the extensions (and Arc if necessary): diff --git a/articles/defender-for-cloud/tutorial-enable-containers-arc.md b/articles/defender-for-cloud/tutorial-enable-containers-arc.md index e77a8cb60f2cd..4711eb7577ac6 100644 --- a/articles/defender-for-cloud/tutorial-enable-containers-arc.md +++ b/articles/defender-for-cloud/tutorial-enable-containers-arc.md @@ -21,7 +21,7 @@ You can learn more about Defender for Container's pricing on the [pricing page]( - Ensure the following [Azure Arc-enabled Kubernetes network requirements](../azure-arc/kubernetes/network-requirements.md) are validated and [connect the Kubernetes cluster to Azure Arc](../azure-arc/kubernetes/quickstart-connect-cluster.md). -- Validate the following endpoints are configured for outbound access so that the Defender agent can connect to Microsoft Defender for Cloud to send security data and events: +- Validate the following endpoints are configured for outbound access so that the Defender sensor can connect to Microsoft Defender for Cloud to send security data and events: | Domain | Port | | -------------------------- | ---- | @@ -56,11 +56,11 @@ If you would prefer to [assign a custom workspace](defender-for-containers-enabl > [!NOTE] > To enable or disable individual Defender for Containers capabilities, either globally or for specific resources, see [How to enable Microsoft Defender for Containers components](defender-for-containers-enable.md). -## Deploy the Defender agent on Arc-enabled Kubernetes clusters +## Deploy the Defender sensor on Arc-enabled Kubernetes clusters -You can enable the Defender for Containers plan and deploy all of the relevant components in different ways. We walk you through the steps to accomplish this using the Azure portal. Learn how to [deploy the Defender agent](defender-for-containers-enable.md?pivots=defender-for-container-arc&tabs=aks-deploy-portal%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api#deploy-the-defender-agent) with REST API, Azure CLI or with a Resource Manager template. +You can enable the Defender for Containers plan and deploy all of the relevant components in different ways. We walk you through the steps to accomplish this using the Azure portal. Learn how to [deploy the Defender sensor](defender-for-containers-enable.md?pivots=defender-for-container-arc&tabs=aks-deploy-portal%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api#deploy-the-defender-sensor) with REST API, Azure CLI or with a Resource Manager template. -**To deploy the Defender agent in Azure:** +**To deploy the Defender sensor in Azure:** 1. Sign in to the [Azure portal](https://portal.azure.com). @@ -70,7 +70,7 @@ You can enable the Defender for Containers plan and deploy all of the relevant c 1. Search for and select the `Azure Arc-enabled Kubernetes clusters should have the Defender extension installed` recommendation. - :::image type="content" source="media/tutorial-enable-containers-azure/extension-recommendation.png" alt-text="Microsoft Defender for Cloud's recommendation for deploying the Defender agent for Azure Arc-enabled Kubernetes clusters." lightbox="media/tutorial-enable-containers-azure/extension-recommendation.png"::: + :::image type="content" source="media/tutorial-enable-containers-azure/extension-recommendation.png" alt-text="Microsoft Defender for Cloud's recommendation for deploying the Defender sensor for Azure Arc-enabled Kubernetes clusters." lightbox="media/tutorial-enable-containers-azure/extension-recommendation.png"::: 1. Select all of the relevant affected resources. diff --git a/articles/defender-for-cloud/tutorial-enable-containers-azure.md b/articles/defender-for-cloud/tutorial-enable-containers-azure.md index 7a53b2917f7cb..f43ece4762c45 100644 --- a/articles/defender-for-cloud/tutorial-enable-containers-azure.md +++ b/articles/defender-for-cloud/tutorial-enable-containers-azure.md @@ -19,7 +19,7 @@ You can learn more about Defender for Container's pricing on the [pricing page]( - You must [enable Microsoft Defender for Cloud](get-started.md#enable-defender-for-cloud-on-your-azure-subscription) on your Azure subscription. -- Ensure the [required Fully Qualified Domain Names (FQDN)/application](../aks/limit-egress-traffic.md) endpoints are configured for outbound access so the Defender agent can connect to Microsoft Defender for Cloud to send security data and events. +- Ensure the [required Fully Qualified Domain Names (FQDN)/application](../aks/limit-egress-traffic.md) endpoints are configured for outbound access so the Defender sensor can connect to Microsoft Defender for Cloud to send security data and events. > [!NOTE] > By default, AKS clusters have unrestricted outbound (egress) internet access. @@ -46,14 +46,14 @@ If you would prefer to [assign a custom workspace](defender-for-containers-enabl 1. Select **Save**. -## Deploy the Defender agent in Azure +## Deploy the Defender sensor in Azure > [!NOTE] > To enable or disable individual Defender for Containers capabilities, either globally or for specific resources, see [How to enable Microsoft Defender for Containers components](defender-for-containers-enable.md). -You can enable the Defender for Containers plan and deploy all of the relevant components in different ways. We walk you through the steps to accomplish this using the Azure portal. Learn how to [deploy the Defender agent](defender-for-containers-enable.md#deploy-the-defender-agent) with REST API, Azure CLI or with a Resource Manager template. +You can enable the Defender for Containers plan and deploy all of the relevant components in different ways. We walk you through the steps to accomplish this using the Azure portal. Learn how to [deploy the Defender sensor](defender-for-containers-enable.md#deploy-the-defender-sensor) with REST API, Azure CLI or with a Resource Manager template. -**To deploy the Defender agent in Azure:** +**To deploy the Defender sensor in Azure:** 1. Sign in to the [Azure portal](https://portal.azure.com). diff --git a/articles/defender-for-cloud/upcoming-changes.md b/articles/defender-for-cloud/upcoming-changes.md index 31d8252fb008d..29c655c0a8ac0 100644 --- a/articles/defender-for-cloud/upcoming-changes.md +++ b/articles/defender-for-cloud/upcoming-changes.md @@ -34,15 +34,12 @@ If you're looking for the latest release notes, you can find them in the [What's | [Change in pricing for multicloud container threat detection](#change-in-pricing-for-multicloud-container-threat-detection) | January 30, 2024 | April 2024 | | [Enforcement of Defender CSPM for Premium DevOps Security Capabilities](#enforcement-of-defender-cspm-for-premium-devops-security-value) | January 29, 2024 | March 2024 | | [Update to agentless VM scanning built-in Azure role](#update-to-agentless-vm-scanning-built-in-azure-role) |January 14, 2024 | February 2024 | -| [Deprecation of two recommendations related to PCI](#deprecation-of-two-recommendations-related-to-pci) |January 14, 2024 | February 2024 | | [Defender for Servers built-in vulnerability assessment (Qualys) retirement path](#defender-for-servers-built-in-vulnerability-assessment-qualys-retirement-path) | January 9, 2024 | May 2024 | -| [New version of Defender Agent for Defender for Containers](#new-version-of-defender-agent-for-defender-for-containers) | January 4, 2024 | February 2024 | | [Upcoming change for the Defender for Cloud’s multicloud network requirements](#upcoming-change-for-the-defender-for-clouds-multicloud-network-requirements) | January 3, 2024 | May 2024 | | [Deprecation of two DevOps security recommendations](#deprecation-of-two-devops-security-recommendations) | November 30, 2023 | January 2024 | | [Consolidation of Defender for Cloud's Service Level 2 names](#consolidation-of-defender-for-clouds-service-level-2-names) | November 1, 2023 | December 2023 | | [Changes to how Microsoft Defender for Cloud's costs are presented in Microsoft Cost Management](#changes-to-how-microsoft-defender-for-clouds-costs-are-presented-in-microsoft-cost-management) | October 25, 2023 | November 2023 | | [Replacing the "Key Vaults should have purge protection enabled" recommendation with combined recommendation "Key Vaults should have deletion protection enabled"](#replacing-the-key-vaults-should-have-purge-protection-enabled-recommendation-with-combined-recommendation-key-vaults-should-have-deletion-protection-enabled) | | June 2023| -| [Preview alerts for DNS servers to be deprecated](#preview-alerts-for-dns-servers-to-be-deprecated) | | August 2023 | | [Change to the Log Analytics daily cap](#change-to-the-log-analytics-daily-cap) | | September 2023 | | [DevOps Resource Deduplication for Defender for DevOps](#devops-resource-deduplication-for-defender-for-devops) | | November 2023 | | [Deprecating two security incidents](#deprecating-two-security-incidents) | | November 2023 | @@ -191,17 +188,6 @@ For more information on the code to cloud security capabilities in Defender CSPM In Azure, agentless scanning for VMs uses a built-in role (called [VM scanner operator](faq-permissions.yml)) with the minimum necessary permissions required to scan and assess your VMs for security issues. To continuously provide relevant scan health and configuration recommendations for VMs with encrypted volumes, an update to this role's permissions is planned. The update includes the addition of the ```Microsoft.Compute/DiskEncryptionSets/read``` permission. This permission solely enables improved identification of encrypted disk usage in VMs. It doesn't provide Defender for Cloud any more capabilities to decrypt or access the content of these encrypted volumes beyond the encryption methods [already supported](concept-agentless-data-collection.md#availability) prior to this change. This change is expected to take place during February 2024 and no action is required on your end. -## Deprecation of two recommendations related to PCI - -**Announcement date: January 14, 2024** - -**Estimated date for change: February 2024** - -The following two recommendations related to PCI (Permission Creep Index) are set for deprecation: - -- `Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI)` -- `Over-Provisioned identities in subscriptions should be investigated to reduce the Permission Creep Index (PCI)` - ## Defender for Servers built-in vulnerability assessment (Qualys) retirement path **Announcement date: January 9, 2024** @@ -214,14 +200,6 @@ For more information about our decision to unify our vulnerability assessment of You can also check out the [common questions about the transition to Microsoft Defender Vulnerability Management solution](faq-scanner-detection.yml). -## New version of Defender Agent for Defender for Containers - -**Announcement date: January 4, 2024** - -**Estimated date for change: February 2024** - -A new version of the [Defender Agent for Defender for Containers](tutorial-enable-containers-azure.md#deploy-the-defender-agent-in-azure) will be released in February 2024. It includes performance and security improvements, support for both AMD64 and ARM64 arch nodes (Linux only), and uses [Inspektor Gadget](https://www.inspektor-gadget.io/) as the process collection agent instead of Sysdig. The new version is only supported on Linux kernel versions 5.4 and higher, so if you have older versions of the Linux kernel, you'll need to upgrade. For more information, see [Supported host operating systems](support-matrix-defender-for-containers.md#supported-host-operating-systems). - ## Upcoming change for the Defender for Cloud’s multicloud network requirements **Announcement date: January 3, 2024** @@ -338,29 +316,6 @@ The `Key Vaults should have purge protection enabled` recommendation is deprecat See the [full index of Azure Policy built-in policy definitions for Key Vault](../key-vault/policy-reference.md). -## Preview alerts for DNS servers to be deprecated - -**Estimated date for change: August 2023** - -Following quality improvement process, security alerts for DNS servers are set to be deprecated in August. For cloud resources, use [Azure DNS](defender-for-dns-introduction.md) to receive the same security value. - -The following table lists the alerts to be deprecated: - -| AlertDisplayName | AlertType | -|--|--| -| Communication with suspicious random domain name (Preview) | DNS_RandomizedDomain | -| Communication with suspicious domain identified by threat intelligence (Preview) | DNS_ThreatIntelSuspectDomain | -| Digital currency mining activity (Preview) | DNS_CurrencyMining | -| Network intrusion detection signature activation (Preview) | DNS_SuspiciousDomain | -| Attempted communication with suspicious sinkholed domain (Preview) | DNS_SinkholedDomain | -| Communication with possible phishing domain (Preview) | DNS_PhishingDomain| -| Possible data transfer via DNS tunnel (Preview) | DNS_DataObfuscation | -| Possible data exfiltration via DNS tunnel (Preview) | DNS_DataExfiltration | -| Communication with suspicious algorithmically generated domain (Preview) | DNS_DomainGenerationAlgorithm | -| Possible data download via DNS tunnel (Preview) | DNS_DataInfiltration | -| Anonymity network activity (Preview) | DNS_DarkWeb | -| Anonymity network activity using web proxy (Preview) | DNS_DarkWebProxy | - ## Change to the Log Analytics daily cap Azure monitor offers the capability to [set a daily cap](../azure-monitor/logs/daily-cap.md) on the data that is ingested on your Log analytics workspaces. However, Defenders for Cloud security events are currently not supported in those exclusions. diff --git a/articles/defender-for-cloud/view-and-remediate-vulnerabilities-for-images.md b/articles/defender-for-cloud/view-and-remediate-vulnerabilities-for-images.md index 29bbdc154b9cb..991124c7738ab 100644 --- a/articles/defender-for-cloud/view-and-remediate-vulnerabilities-for-images.md +++ b/articles/defender-for-cloud/view-and-remediate-vulnerabilities-for-images.md @@ -11,7 +11,7 @@ ms.date: 09/06/2023 Defender for Cloud gives its customers the ability to prioritize the remediation of vulnerabilities in images that are currently being used within their environment using the [Running container images should have vulnerability findings resolved](https://portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/KubernetesRuntimeVisibilityRecommendationDetailsBlade/assessmentKey/41503391-efa5-47ee-9282-4eff6131462ce) recommendation. -To provide findings for the recommendation, Defender for Cloud uses [agentless discovery for Kubernetes](defender-for-containers-introduction.md) or the [Defender agent](tutorial-enable-containers-azure.md#deploy-the-defender-agent-in-azure) to create a full inventory of your Kubernetes clusters and their workloads and correlates that inventory with the vulnerability reports created for your registry images. The recommendation shows your running containers with the vulnerabilities associated with the images that are used by each container and remediation steps. +To provide findings for the recommendation, Defender for Cloud uses [agentless discovery for Kubernetes](defender-for-containers-introduction.md) or the [Defender sensor](tutorial-enable-containers-azure.md#deploy-the-defender-sensor-in-azure) to create a full inventory of your Kubernetes clusters and their workloads and correlates that inventory with the vulnerability reports created for your registry images. The recommendation shows your running containers with the vulnerabilities associated with the images that are used by each container and remediation steps. Defender for Cloud presents the findings and related information as recommendations, including related information such as remediation steps and relevant CVEs. You can view the identified vulnerabilities for one or more subscriptions, or for a specific resource. diff --git a/articles/defender-for-cloud/working-with-log-analytics-agent.md b/articles/defender-for-cloud/working-with-log-analytics-agent.md index 5214fea600373..7cde91fff8e87 100644 --- a/articles/defender-for-cloud/working-with-log-analytics-agent.md +++ b/articles/defender-for-cloud/working-with-log-analytics-agent.md @@ -138,7 +138,7 @@ To manually install the Log Analytics agent: 1. Set the workspace on which you're installing the agent. Make sure the workspace is in the same subscription you use in Defender for Cloud and that you have read/write permissions for the workspace. 1. Select one or both "Servers" or "SQL servers on machines"(Foundational CSPM is the free default), and then select **Save**. - + :::image type="content" source="media/working-with-log-analytics-agent/apply-plan-to-workspace.png" alt-text="Screenshot that shows where to set the workspace on which you're installing the agent." lightbox="media/working-with-log-analytics-agent/apply-plan-to-workspace.png"::: >[!NOTE] diff --git a/articles/defender-for-cloud/workload-protections-dashboard.md b/articles/defender-for-cloud/workload-protections-dashboard.md index a33ae4fd24a9b..44e8566d1d335 100644 --- a/articles/defender-for-cloud/workload-protections-dashboard.md +++ b/articles/defender-for-cloud/workload-protections-dashboard.md @@ -27,7 +27,6 @@ Defender for Cloud includes many advanced threat protection capabilities for vir Insights provide you with news, suggested reading, and high priority alerts that are relevant in your environment. - ## Next steps [Learn about](defender-for-cloud-introduction.md) workloads you can protect in Defender for Cloud diff --git a/articles/event-grid/scripts/powershell-webhook-secure-delivery-microsoft-entra-user.md b/articles/event-grid/scripts/powershell-webhook-secure-delivery-microsoft-entra-user.md index 1447cb11a2ea4..bf084c497ab64 100644 --- a/articles/event-grid/scripts/powershell-webhook-secure-delivery-microsoft-entra-user.md +++ b/articles/event-grid/scripts/powershell-webhook-secure-delivery-microsoft-entra-user.md @@ -23,7 +23,7 @@ Here are the high level steps from the script: ```azurepowershell # NOTE: Before run this script ensure you are logged in Azure by using "az login" command. -$webhookAppId = "[REPLACE_WITH_YOUR_ID]" +$webhookAppObjectId = "[REPLACE_WITH_YOUR_ID]" $eventSubscriptionWriterUserPrincipalName = "[REPLACE_WITH_USER_PRINCIPAL_NAME_OF_THE_USER_WHO_WILL_CREATE_THE_SUBSCRIPTION]" # Start execution diff --git a/articles/governance/includes/resource-graph/query/virtual-machine-basic-sku-public-ip.md b/articles/governance/includes/resource-graph/query/virtual-machine-basic-sku-public-ip.md index 85b5a8b65b0b0..7aa11bcb18cee 100644 --- a/articles/governance/includes/resource-graph/query/virtual-machine-basic-sku-public-ip.md +++ b/articles/governance/includes/resource-graph/query/virtual-machine-basic-sku-public-ip.md @@ -45,7 +45,7 @@ Search-AzGraph -Query "Resources | where type =~ 'microsoft.compute/virtualmachi :::image type="icon" source="../../../resource-graph/media/resource-graph-small.png"::: Try this query in Azure Resource Graph Explorer: - Azure portal: portal.azure.com -- Azure Government portal: portal.azure.us +- Azure Government portal: portal.azure.us - Microsoft Azure operated by 21Vianet portal: portal.azure.cn --- diff --git a/articles/governance/policy/samples/australia-ism.md b/articles/governance/policy/samples/australia-ism.md index 67cecda241545..7c89f26333aa8 100644 --- a/articles/governance/policy/samples/australia-ism.md +++ b/articles/governance/policy/samples/australia-ism.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for Australian Government ISM PROTECTED description: Details of the Australian Government ISM PROTECTED Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in Australian Government ISM PROTECTED. For more information about this compliance standard, see [Australian Government ISM PROTECTED](https://www.cyber.gov.au/acsc/view-all-content/ism). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **Australian Government ISM PROTECTED** controls. Many of the controls diff --git a/articles/governance/policy/samples/azure-security-benchmark.md b/articles/governance/policy/samples/azure-security-benchmark.md index df3670c359f4a..c4047d9500191 100644 --- a/articles/governance/policy/samples/azure-security-benchmark.md +++ b/articles/governance/policy/samples/azure-security-benchmark.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for Microsoft cloud security benchmark description: Details of the Microsoft cloud security benchmark Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in Microsoft cloud security benchmark. For more information about this compliance standard, see [Microsoft cloud security benchmark](/security/benchmark/azure/introduction). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **Microsoft cloud security benchmark** controls. Many of the controls @@ -59,7 +59,7 @@ initiative definition. |[API Management should disable public network access to the service configuration endpoints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf73bd95-24da-4a4f-96b9-4e8b94b402bd) |To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/PublicEndpoint_AINE.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cosmos DB accounts should have firewall rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb) |Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json) | |[Azure Cosmos DB should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F797b37f7-06b8-444c-b1ad-fc62867f335a) |Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation](../../../cosmos-db/how-to-configure-private-endpoints.md#blocking-public-network-access-during-account-creation). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateNetworkAccess_AuditDeny.json) | @@ -154,9 +154,10 @@ initiative definition. |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| +|[A Microsoft Entra administrator should be provisioned for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4dec045-250a-48c2-b5cc-e0c4eec8b5b4) |Audit provisioning of a Microsoft Entra administrator for your PostgreSQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_AuditServerADAdmins_Audit.json) | |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) | +|[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) | |[Azure SQL Database should have Microsoft Entra-only authentication enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb3a22bc9-66de-45fb-98fa-00f5df42f41a) |Require Azure SQL logical servers to use Microsoft Entra-only authentication. This policy doesn't block servers from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: [https://aka.ms/adonlycreate](https://aka.ms/adonlycreate). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_ADOnlyEnabled_DisableADAuth_Deny.json) | |[Azure SQL Database should have Microsoft Entra-only authentication enabled during creation](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabda6d70-9778-44e7-84a8-06713e6db027) |Require Azure SQL logical servers to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: [https://aka.ms/adonlycreate](https://aka.ms/adonlycreate). |Audit, Deny, Disabled |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_ADOnlyEnabled_Deny.json) | |[Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0c28c3fb-c244-42d5-a9bf-f35f2999577b) |Require Azure SQL Managed Instance to use Microsoft Entra-only authentication. This policy doesn't block Azure SQL Managed instances from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: [https://aka.ms/adonlycreate](https://aka.ms/adonlycreate). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_ADOnlyEnabled_DisableADAuth_Deny.json) | @@ -319,7 +320,6 @@ initiative definition. |[\[Preview\]: Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca88aadc-6e2b-416c-9de2-5a0f01d1693f) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. Use Azure Disk Encryption or EncryptionAtHost to encrypt all this data.Visit [https://aka.ms/diskencryptioncomparison](https://aka.ms/diskencryptioncomparison) to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |AuditIfNotExists, Disabled |[1.2.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/LinuxVMEncryption_AINE.json) | |[\[Preview\]: Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3dc5edcd-002d-444c-b216-e123bbfa37c0) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. Use Azure Disk Encryption or EncryptionAtHost to encrypt all this data.Visit [https://aka.ms/diskencryptioncomparison](https://aka.ms/diskencryptioncomparison) to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |AuditIfNotExists, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/WindowsVMEncryption_AINE.json) | |[A Microsoft Entra administrator should be provisioned for MySQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F146412e9-005c-472b-9e48-c87b72ac229e) |Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_AuditServerADAdmins_Audit.json) | -|[A Microsoft Entra administrator should be provisioned for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4dec045-250a-48c2-b5cc-e0c4eec8b5b4) |Audit provisioning of a Microsoft Entra administrator for your PostgreSQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_AuditServerADAdmins_Audit.json) | |[Automation account variables should be encrypted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3657f5a0-770e-44a3-b44e-9431ba1e9735) |It is important to enable encryption of Automation account variable assets when storing sensitive data |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/AuditUnencryptedVars_Audit.json) | |[Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F40e85574-ef33-47e8-a854-7a65c7500560) |Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure MySQL flexible server can exclusively be accessed by Microsoft Entra identities. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_FlexibleServers_ADOnlyEnabled_Audit.json) | |[Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F617c02be-7f02-4efd-8836-3180d47b6c68) |Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/AuditClusterProtectionLevel_Audit.json) | @@ -676,10 +676,8 @@ initiative definition. |---|---|---|---| |[\[Preview\]: System updates should be installed on your machines (powered by Update Center)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff85bf3e0-d513-442e-89c3-1784ad63382b) |Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. |AuditIfNotExists, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdatesV2_Audit.json) | |[Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F090c7b07-b4ed-4561-ad20-e9075f3ccaff) |Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_AzureContainerRegistryVulnerabilityAssessment_Audit.json) | -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |[Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17f4b1cc-c55c-4d94-b1f9-2978f6ac2957) |Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_K8sRuningImagesVulnerabilityAssessmentBasedOnMDVM_Audit.json) | -|[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | -|[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |Audit, Deny, Disabled |[3.6.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) | +|[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |Audit, Deny, Disabled |[3.7.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) | |[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | |[SQL servers on machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6ba6d016-e7c3-4842-b8f2-4992ebc0d72d) |SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSQLVulnerabilityAssessment_Audit.json) | |[System updates on virtual machine scale sets should be installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3f317a7-a95c-4547-b7e7-11017ebdf2fe) |Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json) | @@ -757,9 +755,7 @@ initiative definition. |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| |[Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F090c7b07-b4ed-4561-ad20-e9075f3ccaff) |Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_AzureContainerRegistryVulnerabilityAssessment_Audit.json) | -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |[Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17f4b1cc-c55c-4d94-b1f9-2978f6ac2957) |Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_K8sRuningImagesVulnerabilityAssessmentBasedOnMDVM_Audit.json) | -|[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | |[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) | ## Next steps diff --git a/articles/governance/policy/samples/canada-federal-pbmm.md b/articles/governance/policy/samples/canada-federal-pbmm.md index 2bb35f2e82ff4..490d9f3ae96ce 100644 --- a/articles/governance/policy/samples/canada-federal-pbmm.md +++ b/articles/governance/policy/samples/canada-federal-pbmm.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for Canada Federal PBMM description: Details of the Canada Federal PBMM Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in Canada Federal PBMM. For more information about this compliance standard, see [Canada Federal PBMM](https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/government-canada-security-control-profile-cloud-based-it-services.html). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **Canada Federal PBMM** controls. Many of the controls diff --git a/articles/governance/policy/samples/cis-azure-1-1-0.md b/articles/governance/policy/samples/cis-azure-1-1-0.md index 1e33093871cbb..e155edb526d96 100644 --- a/articles/governance/policy/samples/cis-azure-1-1-0.md +++ b/articles/governance/policy/samples/cis-azure-1-1-0.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.1.0 description: Details of the CIS Microsoft Azure Foundations Benchmark 1.1.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in CIS Microsoft Azure Foundations Benchmark 1.1.0. For more information about this compliance standard, see [CIS Microsoft Azure Foundations Benchmark 1.1.0](https://www.cisecurity.org/benchmark/azure/). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **CIS Microsoft Azure Foundations Benchmark 1.1.0** controls. Many of the controls diff --git a/articles/governance/policy/samples/cis-azure-1-3-0.md b/articles/governance/policy/samples/cis-azure-1-3-0.md index 8b7f4bdeac060..621a9366bfc06 100644 --- a/articles/governance/policy/samples/cis-azure-1-3-0.md +++ b/articles/governance/policy/samples/cis-azure-1-3-0.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.3.0 description: Details of the CIS Microsoft Azure Foundations Benchmark 1.3.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in CIS Microsoft Azure Foundations Benchmark 1.3.0. For more information about this compliance standard, see [CIS Microsoft Azure Foundations Benchmark 1.3.0](https://www.cisecurity.org/benchmark/azure/). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **CIS Microsoft Azure Foundations Benchmark 1.3.0** controls. Many of the controls diff --git a/articles/governance/policy/samples/cis-azure-1-4-0.md b/articles/governance/policy/samples/cis-azure-1-4-0.md index 4345e092345b8..cde852b287066 100644 --- a/articles/governance/policy/samples/cis-azure-1-4-0.md +++ b/articles/governance/policy/samples/cis-azure-1-4-0.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.4.0 description: Details of the CIS Microsoft Azure Foundations Benchmark 1.4.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in CIS Microsoft Azure Foundations Benchmark 1.4.0. For more information about this compliance standard, see [CIS Microsoft Azure Foundations Benchmark 1.4.0](https://www.cisecurity.org/benchmark/azure/). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **CIS Microsoft Azure Foundations Benchmark 1.4.0** controls. Many of the controls diff --git a/articles/governance/policy/samples/cis-azure-2-0-0.md b/articles/governance/policy/samples/cis-azure-2-0-0.md index 02782631f9188..0ec3fa652275a 100644 --- a/articles/governance/policy/samples/cis-azure-2-0-0.md +++ b/articles/governance/policy/samples/cis-azure-2-0-0.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 2.0.0 description: Details of the CIS Microsoft Azure Foundations Benchmark 2.0.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in CIS Microsoft Azure Foundations Benchmark 2.0.0. For more information about this compliance standard, see [CIS Microsoft Azure Foundations Benchmark 2.0.0](https://www.cisecurity.org/benchmark/azure/). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **CIS Microsoft Azure Foundations Benchmark 2.0.0** controls. Many of the controls @@ -386,7 +386,7 @@ initiative definition. |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| -|[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |Audit, Deny, Disabled |[3.6.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) | +|[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |Audit, Deny, Disabled |[3.7.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) | ### Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' diff --git a/articles/governance/policy/samples/cmmc-l3.md b/articles/governance/policy/samples/cmmc-l3.md index a869311af5515..bfde64f9959a8 100644 --- a/articles/governance/policy/samples/cmmc-l3.md +++ b/articles/governance/policy/samples/cmmc-l3.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for CMMC Level 3 description: Details of the CMMC Level 3 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in CMMC Level 3. For more information about this compliance standard, see [CMMC Level 3](https://www.acq.osd.mil/cmmc/documentation.html). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **CMMC Level 3** controls. Many of the controls @@ -50,7 +50,7 @@ This built-in initiative is deployed as part of the |[App Service apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcb510bfd-1cba-4d9f-a230-cb0976f4bb71) |Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/DisableRemoteDebugging_WebApp_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RestrictCORSAccess_WebApp_Audit.json) | |[Audit Linux machines that allow remote connections from accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea53dbee-c6c9-4f0e-9f9e-de0039b78023) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/LinuxPassword110_AINE.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Key Vault should have firewall enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55615ac9-af46-4a59-874e-391cc3dfb490) |Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: [https://docs.microsoft.com/azure/key-vault/general/network-security](../../../key-vault/general/network-security.md) |Audit, Deny, Disabled |[3.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/FirewallEnabled_Audit.json) | |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | @@ -88,7 +88,7 @@ This built-in initiative is deployed as part of the |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RestrictCORSAccess_WebApp_Audit.json) | |[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/Webapp_AuditHTTP_Audit.json) | |[Audit Linux machines that allow remote connections from accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea53dbee-c6c9-4f0e-9f9e-de0039b78023) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/LinuxPassword110_AINE.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Key Vault should have firewall enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55615ac9-af46-4a59-874e-391cc3dfb490) |Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: [https://docs.microsoft.com/azure/key-vault/general/network-security](../../../key-vault/general/network-security.md) |Audit, Deny, Disabled |[3.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/FirewallEnabled_Audit.json) | |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | @@ -174,7 +174,7 @@ This built-in initiative is deployed as part of the |[\[Preview\]: All Internet traffic should be routed via your deployed Azure Firewall](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc5e4038-4584-4632-8c85-c0448d374b2c) |Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall |AuditIfNotExists, Disabled |[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ASC_All_Internet_traffic_should_be_routed_via_Azure_Firewall.json) | |[\[Preview\]: Storage account public access should be disallowed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4fa4b6c0-31ca-4c0d-b10d-24b96f62a751) |Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. |audit, Audit, deny, Deny, disabled, Disabled |[3.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/ASC_Storage_DisallowPublicBlobAccess_Audit.json) | |[Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08e6af2d-db70-460a-bfe9-d5bd474ba9d6) |Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | @@ -439,7 +439,7 @@ This built-in initiative is deployed as part of the |[Allowlist rules in your adaptive application control policy should be updated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F123a3936-f020-408a-ba0c-47873faf1534) |Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json) | |[App Service apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcb510bfd-1cba-4d9f-a230-cb0976f4bb71) |Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/DisableRemoteDebugging_WebApp_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RestrictCORSAccess_WebApp_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[CORS should not allow every domain to access your API for FHIR](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fea8f8a-4169-495d-8307-30ec335f387d) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. |audit, Audit, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_RestrictCORSAccess_Audit.json) | @@ -683,7 +683,6 @@ This built-in initiative is deployed as part of the |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected Azure SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |[Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffb893a29-21bb-418c-a157-e99480ec364c) |Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UpgradeVersion_KubernetesService_Audit.json) | |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) | |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | @@ -727,7 +726,7 @@ This built-in initiative is deployed as part of the |[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) | |[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/Webapp_AuditHTTP_Audit.json) | |[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | @@ -846,7 +845,7 @@ This built-in initiative is deployed as part of the |[Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08e6af2d-db70-460a-bfe9-d5bd474ba9d6) |Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) | |[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RestrictCORSAccess_WebApp_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Key Vault should have firewall enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55615ac9-af46-4a59-874e-391cc3dfb490) |Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: [https://docs.microsoft.com/azure/key-vault/general/network-security](../../../key-vault/general/network-security.md) |Audit, Deny, Disabled |[3.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/FirewallEnabled_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | diff --git a/articles/governance/policy/samples/fedramp-high.md b/articles/governance/policy/samples/fedramp-high.md index 17f6361f2fd14..e1dbfe925d44a 100644 --- a/articles/governance/policy/samples/fedramp-high.md +++ b/articles/governance/policy/samples/fedramp-high.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for FedRAMP High description: Details of the FedRAMP High Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in FedRAMP High. For more information about this compliance standard, see [FedRAMP High](https://www.fedramp.gov/). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **FedRAMP High** controls. Many of the controls @@ -245,7 +245,7 @@ initiative definition. |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RestrictCORSAccess_WebApp_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | @@ -3192,7 +3192,6 @@ initiative definition. |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected Azure SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) | |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | |[Perform vulnerability scans](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f) |CMA_0393 - Perform vulnerability scans |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0393.json) | @@ -3611,7 +3610,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | @@ -3673,7 +3672,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | diff --git a/articles/governance/policy/samples/fedramp-moderate.md b/articles/governance/policy/samples/fedramp-moderate.md index 985853c885472..13f1080113153 100644 --- a/articles/governance/policy/samples/fedramp-moderate.md +++ b/articles/governance/policy/samples/fedramp-moderate.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for FedRAMP Moderate description: Details of the FedRAMP Moderate Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in FedRAMP Moderate. For more information about this compliance standard, see [FedRAMP Moderate](https://www.fedramp.gov/). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **FedRAMP Moderate** controls. Many of the controls @@ -227,7 +227,7 @@ initiative definition. |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RestrictCORSAccess_WebApp_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | @@ -2641,7 +2641,6 @@ initiative definition. |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected Azure SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) | |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | |[Perform vulnerability scans](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f) |CMA_0393 - Perform vulnerability scans |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0393.json) | @@ -2989,7 +2988,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | @@ -3051,7 +3050,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | diff --git a/articles/governance/policy/samples/gov-azure-security-benchmark.md b/articles/governance/policy/samples/gov-azure-security-benchmark.md index 0ed078964ac99..5150306ff68e8 100644 --- a/articles/governance/policy/samples/gov-azure-security-benchmark.md +++ b/articles/governance/policy/samples/gov-azure-security-benchmark.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for Microsoft cloud security benchmark (Azure Government) description: Details of the Microsoft cloud security benchmark (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in Microsoft cloud security benchmark (Azure Government). For more information about this compliance standard, see [Microsoft cloud security benchmark](/security/benchmark/azure/introduction). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **Microsoft cloud security benchmark** controls. Many of the controls @@ -56,7 +56,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cosmos DB accounts should have firewall rules](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb) |Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json) | |[Azure Cosmos DB should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F797b37f7-06b8-444c-b1ad-fc62867f335a) |Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation](../../../cosmos-db/how-to-configure-private-endpoints.md#blocking-public-network-access-during-account-creation). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateNetworkAccess_AuditDeny.json) | @@ -77,7 +77,9 @@ initiative definition. |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | |[Private endpoint connections on Azure SQL Database should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7698e800-9299-47a6-b3b6-5a0fee576eed) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. |Audit, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json) | +|[Private endpoint should be enabled for PostgreSQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0564d078-92f5-4f97-8398-b9f58a51f70b) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json) | |[Public network access on Azure SQL Database should be disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b8ca024-1d5c-4dec-8995-b1a932b41780) |Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PublicNetworkAccess_Audit.json) | +|[Public network access should be disabled for PostgreSQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb52376f7-9612-48a1-81cd-1ffe4b61032c) |Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_DisablePublicNetworkAccess_Audit.json) | |[Storage accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c877ad-507e-4c82-993e-3452a6e0ad3c) |Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges |Audit, Deny, Disabled |[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json) | |[Storage accounts should restrict network access using virtual network rules](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2a1a9cdf-e04d-429a-8416-3bfb72a1b26f) |Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountOnlyVnetRulesEnabled_Audit.json) | |[Storage accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6edd7eda-6dd8-40f7-810d-67160c639cd9) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - [https://aka.ms/azureprivatelinkoverview](https://aka.ms/azureprivatelinkoverview) |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountPrivateEndpointEnabled_Audit.json) | @@ -132,9 +134,10 @@ initiative definition. |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| +|[A Microsoft Entra administrator should be provisioned for PostgreSQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4dec045-250a-48c2-b5cc-e0c4eec8b5b4) |Audit provisioning of a Microsoft Entra administrator for your PostgreSQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_AuditServerADAdmins_Audit.json) | |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) | +|[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) | |[Azure SQL Database should have Microsoft Entra-only authentication enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb3a22bc9-66de-45fb-98fa-00f5df42f41a) |Require Azure SQL logical servers to use Microsoft Entra-only authentication. This policy doesn't block servers from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: [https://aka.ms/adonlycreate](https://aka.ms/adonlycreate). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_ADOnlyEnabled_DisableADAuth_Deny.json) | |[Azure SQL Database should have Microsoft Entra-only authentication enabled during creation](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabda6d70-9778-44e7-84a8-06713e6db027) |Require Azure SQL logical servers to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: [https://aka.ms/adonlycreate](https://aka.ms/adonlycreate). |Audit, Deny, Disabled |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_ADOnlyEnabled_Deny.json) | |[Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0c28c3fb-c244-42d5-a9bf-f35f2999577b) |Require Azure SQL Managed Instance to use Microsoft Entra-only authentication. This policy doesn't block Azure SQL Managed instances from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: [https://aka.ms/adonlycreate](https://aka.ms/adonlycreate). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_ADOnlyEnabled_DisableADAuth_Deny.json) | @@ -279,6 +282,7 @@ initiative definition. |[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | |[Cognitive Services accounts should enable data encryption with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) |Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at [https://go.microsoft.com/fwlink/?linkid=2121321](https://go.microsoft.com/fwlink/?linkid=2121321). |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CustomerManagedKey_Audit.json) | |[Container registries should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/acr/CMK](https://aka.ms/acr/CMK). |Audit, Deny, Disabled |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) | +|[PostgreSQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F18adea5e-f416-4d0f-8aa8-d24321e3e274) |Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |AuditIfNotExists, Disabled |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/SQL/PostgreSQL_EnableByok_Audit.json) | |[Storage accounts should use customer-managed key for encryption](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6fac406b-40ca-413b-bf8e-0bf964659c25) |Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountCustomerManagedKeyEnabled_Audit.json) | ### Ensure security of key and certificate repository @@ -503,9 +507,7 @@ initiative definition. |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| |[Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F090c7b07-b4ed-4561-ad20-e9075f3ccaff) |Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_AzureContainerRegistryVulnerabilityAssessment_Audit.json) | -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |[Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17f4b1cc-c55c-4d94-b1f9-2978f6ac2957) |Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_K8sRuningImagesVulnerabilityAssessmentBasedOnMDVM_Audit.json) | -|[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | |[SQL databases should have vulnerability findings resolved](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | |[SQL servers on machines should have vulnerability findings resolved](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6ba6d016-e7c3-4842-b8f2-4992ebc0d72d) |SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSQLVulnerabilityAssessment_Audit.json) | |[System updates on virtual machine scale sets should be installed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3f317a7-a95c-4547-b7e7-11017ebdf2fe) |Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json) | @@ -571,9 +573,7 @@ initiative definition. |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| |[Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F090c7b07-b4ed-4561-ad20-e9075f3ccaff) |Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_AzureContainerRegistryVulnerabilityAssessment_Audit.json) | -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |[Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17f4b1cc-c55c-4d94-b1f9-2978f6ac2957) |Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_K8sRuningImagesVulnerabilityAssessmentBasedOnMDVM_Audit.json) | -|[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | |[Vulnerabilities in container security configurations should be remediated](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_ContainerBenchmark_Audit.json) | ## Next steps diff --git a/articles/governance/policy/samples/gov-cis-azure-1-1-0.md b/articles/governance/policy/samples/gov-cis-azure-1-1-0.md index 30cc68f2c337e..785dacc78881d 100644 --- a/articles/governance/policy/samples/gov-cis-azure-1-1-0.md +++ b/articles/governance/policy/samples/gov-cis-azure-1-1-0.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.1.0 (Azure Government) description: Details of the CIS Microsoft Azure Foundations Benchmark 1.1.0 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in CIS Microsoft Azure Foundations Benchmark 1.1.0 (Azure Government). For more information about this compliance standard, see [CIS Microsoft Azure Foundations Benchmark 1.1.0](https://www.cisecurity.org/benchmark/azure/). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **CIS Microsoft Azure Foundations Benchmark 1.1.0** controls. Many of the controls diff --git a/articles/governance/policy/samples/gov-cis-azure-1-3-0.md b/articles/governance/policy/samples/gov-cis-azure-1-3-0.md index 5993078f05d97..846a6c1dfaf70 100644 --- a/articles/governance/policy/samples/gov-cis-azure-1-3-0.md +++ b/articles/governance/policy/samples/gov-cis-azure-1-3-0.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.3.0 (Azure Government) description: Details of the CIS Microsoft Azure Foundations Benchmark 1.3.0 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in CIS Microsoft Azure Foundations Benchmark 1.3.0 (Azure Government). For more information about this compliance standard, see [CIS Microsoft Azure Foundations Benchmark 1.3.0](https://www.cisecurity.org/benchmark/azure/). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **CIS Microsoft Azure Foundations Benchmark 1.3.0** controls. Many of the controls diff --git a/articles/governance/policy/samples/gov-cmmc-l3.md b/articles/governance/policy/samples/gov-cmmc-l3.md index fd44600cb1ff7..61b63c1e996c1 100644 --- a/articles/governance/policy/samples/gov-cmmc-l3.md +++ b/articles/governance/policy/samples/gov-cmmc-l3.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for CMMC Level 3 (Azure Government) description: Details of the CMMC Level 3 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in CMMC Level 3 (Azure Government). For more information about this compliance standard, see [CMMC Level 3](https://www.acq.osd.mil/cmmc/documentation.html). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **CMMC Level 3** controls. Many of the controls @@ -46,7 +46,7 @@ This built-in initiative is deployed as part of the |---|---|---|---| |[App Service apps should have remote debugging turned off](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcb510bfd-1cba-4d9f-a230-cb0976f4bb71) |Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/DisableRemoteDebugging_WebApp_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RestrictCORSAccess_WebApp_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) | @@ -71,7 +71,7 @@ This built-in initiative is deployed as part of the |---|---|---|---| |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RestrictCORSAccess_WebApp_Audit.json) | |[App Service apps should only be accessible over HTTPS](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/Webapp_AuditHTTP_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | @@ -127,7 +127,7 @@ This built-in initiative is deployed as part of the |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | @@ -364,7 +364,7 @@ This built-in initiative is deployed as part of the |[Allowlist rules in your adaptive application control policy should be updated](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F123a3936-f020-408a-ba0c-47873faf1534) |Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json) | |[App Service apps should have remote debugging turned off](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcb510bfd-1cba-4d9f-a230-cb0976f4bb71) |Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/DisableRemoteDebugging_WebApp_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RestrictCORSAccess_WebApp_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Function apps should have remote debugging turned off](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/DisableRemoteDebugging_FunctionApp_Audit.json) | @@ -572,7 +572,7 @@ This built-in initiative is deployed as part of the |[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) | |[App Service apps should only be accessible over HTTPS](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/Webapp_AuditHTTP_Audit.json) | |[App Service apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Network/WAF_AFD_Enabled_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | @@ -668,7 +668,7 @@ This built-in initiative is deployed as part of the |---|---|---|---| |[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RestrictCORSAccess_WebApp_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Network/WAF_AFD_Enabled_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | diff --git a/articles/governance/policy/samples/gov-fedramp-high.md b/articles/governance/policy/samples/gov-fedramp-high.md index 47734297ee8cd..4445eb11b5756 100644 --- a/articles/governance/policy/samples/gov-fedramp-high.md +++ b/articles/governance/policy/samples/gov-fedramp-high.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for FedRAMP High (Azure Government) description: Details of the FedRAMP High (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in FedRAMP High (Azure Government). For more information about this compliance standard, see [FedRAMP High](https://www.fedramp.gov/). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **FedRAMP High** controls. Many of the controls @@ -127,7 +127,7 @@ initiative definition. |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RestrictCORSAccess_WebApp_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | @@ -749,7 +749,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | @@ -797,7 +797,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | diff --git a/articles/governance/policy/samples/gov-fedramp-moderate.md b/articles/governance/policy/samples/gov-fedramp-moderate.md index 967b29a0d58c4..a6e01760c1105 100644 --- a/articles/governance/policy/samples/gov-fedramp-moderate.md +++ b/articles/governance/policy/samples/gov-fedramp-moderate.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for FedRAMP Moderate (Azure Government) description: Details of the FedRAMP Moderate (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in FedRAMP Moderate (Azure Government). For more information about this compliance standard, see [FedRAMP Moderate](https://www.fedramp.gov/). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **FedRAMP Moderate** controls. Many of the controls @@ -127,7 +127,7 @@ initiative definition. |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RestrictCORSAccess_WebApp_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | @@ -622,7 +622,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | @@ -670,7 +670,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | diff --git a/articles/governance/policy/samples/gov-irs-1075-sept2016.md b/articles/governance/policy/samples/gov-irs-1075-sept2016.md index 33f4578a0ecd6..8d4504cca701b 100644 --- a/articles/governance/policy/samples/gov-irs-1075-sept2016.md +++ b/articles/governance/policy/samples/gov-irs-1075-sept2016.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for IRS 1075 September 2016 (Azure Government) description: Details of the IRS 1075 September 2016 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in IRS 1075 September 2016 (Azure Government). For more information about this compliance standard, see [IRS 1075 September 2016](https://www.irs.gov/pub/irs-pdf/p1075.pdf). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **IRS 1075 September 2016** controls. Many of the controls diff --git a/articles/governance/policy/samples/gov-iso-27001.md b/articles/governance/policy/samples/gov-iso-27001.md index d6e5543f00182..3031f52c4f59c 100644 --- a/articles/governance/policy/samples/gov-iso-27001.md +++ b/articles/governance/policy/samples/gov-iso-27001.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for ISO 27001:2013 (Azure Government) description: Details of the ISO 27001:2013 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in ISO 27001:2013 (Azure Government). For more information about this compliance standard, see [ISO 27001:2013](https://www.iso.org/standard/iso-iec-27000-family). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **ISO 27001:2013** controls. Many of the controls diff --git a/articles/governance/policy/samples/gov-nist-sp-800-171-r2.md b/articles/governance/policy/samples/gov-nist-sp-800-171-r2.md index 7594f665bc99b..901d2169bfd30 100644 --- a/articles/governance/policy/samples/gov-nist-sp-800-171-r2.md +++ b/articles/governance/policy/samples/gov-nist-sp-800-171-r2.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for NIST SP 800-171 R2 (Azure Government) description: Details of the NIST SP 800-171 R2 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in NIST SP 800-171 R2 (Azure Government). For more information about this compliance standard, see [NIST SP 800-171 R2](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **NIST SP 800-171 R2** controls. Many of the controls @@ -219,7 +219,7 @@ initiative definition. |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RestrictCORSAccess_WebApp_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | @@ -336,7 +336,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | @@ -442,7 +442,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | @@ -490,7 +490,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | @@ -536,7 +536,7 @@ initiative definition. |---|---|---|---| |[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | |[Azure Cosmos DB accounts should have firewall rules](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb) |Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json) | |[Azure Key Vault should have firewall enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55615ac9-af46-4a59-874e-391cc3dfb490) |Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: [https://docs.microsoft.com/azure/key-vault/general/network-security](../../../key-vault/general/network-security.md) |Audit, Deny, Disabled |[1.4.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Key%20Vault/FirewallEnabled_Audit.json) | diff --git a/articles/governance/policy/samples/gov-nist-sp-800-53-r4.md b/articles/governance/policy/samples/gov-nist-sp-800-53-r4.md index 3a29e1a0ae707..49b9e57557592 100644 --- a/articles/governance/policy/samples/gov-nist-sp-800-53-r4.md +++ b/articles/governance/policy/samples/gov-nist-sp-800-53-r4.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for NIST SP 800-53 Rev. 4 (Azure Government) description: Details of the NIST SP 800-53 Rev. 4 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in NIST SP 800-53 Rev. 4 (Azure Government). For more information about this compliance standard, see [NIST SP 800-53 Rev. 4](https://nvd.nist.gov/800-53). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **NIST SP 800-53 Rev. 4** controls. Many of the controls @@ -236,7 +236,7 @@ initiative definition. |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RestrictCORSAccess_WebApp_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | @@ -3914,7 +3914,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | @@ -3965,7 +3965,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | diff --git a/articles/governance/policy/samples/gov-nist-sp-800-53-r5.md b/articles/governance/policy/samples/gov-nist-sp-800-53-r5.md index 7397a5e812334..5b174c54ea3fd 100644 --- a/articles/governance/policy/samples/gov-nist-sp-800-53-r5.md +++ b/articles/governance/policy/samples/gov-nist-sp-800-53-r5.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for NIST SP 800-53 Rev. 5 (Azure Government) description: Details of the NIST SP 800-53 Rev. 5 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in NIST SP 800-53 Rev. 5 (Azure Government). For more information about this compliance standard, see [NIST SP 800-53 Rev. 5](https://nvd.nist.gov/800-53). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **NIST SP 800-53 Rev. 5** controls. Many of the controls @@ -228,7 +228,7 @@ initiative definition. |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RestrictCORSAccess_WebApp_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | @@ -3660,7 +3660,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | @@ -3711,7 +3711,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | diff --git a/articles/governance/policy/samples/hipaa-hitrust-9-2.md b/articles/governance/policy/samples/hipaa-hitrust-9-2.md index 3af2e9edc0343..a9c9cc654f08f 100644 --- a/articles/governance/policy/samples/hipaa-hitrust-9-2.md +++ b/articles/governance/policy/samples/hipaa-hitrust-9-2.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for HIPAA HITRUST 9.2 description: Details of the HIPAA HITRUST 9.2 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in HIPAA HITRUST 9.2. For more information about this compliance standard, see [HIPAA HITRUST 9.2](https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **HIPAA HITRUST 9.2** controls. Many of the controls diff --git a/articles/governance/policy/samples/irs-1075-sept2016.md b/articles/governance/policy/samples/irs-1075-sept2016.md index 7907b5a83d315..90680551f3701 100644 --- a/articles/governance/policy/samples/irs-1075-sept2016.md +++ b/articles/governance/policy/samples/irs-1075-sept2016.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for IRS 1075 September 2016 description: Details of the IRS 1075 September 2016 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in IRS 1075 September 2016. For more information about this compliance standard, see [IRS 1075 September 2016](https://www.irs.gov/pub/irs-pdf/p1075.pdf). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **IRS 1075 September 2016** controls. Many of the controls diff --git a/articles/governance/policy/samples/iso-27001.md b/articles/governance/policy/samples/iso-27001.md index 023edc1c16755..6b3ed9f477e0a 100644 --- a/articles/governance/policy/samples/iso-27001.md +++ b/articles/governance/policy/samples/iso-27001.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for ISO 27001:2013 description: Details of the ISO 27001:2013 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in ISO 27001:2013. For more information about this compliance standard, see [ISO 27001:2013](https://www.iso.org/standard/iso-iec-27000-family). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **ISO 27001:2013** controls. Many of the controls diff --git a/articles/governance/policy/samples/mcfs-baseline-confidential.md b/articles/governance/policy/samples/mcfs-baseline-confidential.md index 1b003217dff19..977bafdb32199 100644 --- a/articles/governance/policy/samples/mcfs-baseline-confidential.md +++ b/articles/governance/policy/samples/mcfs-baseline-confidential.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for Microsoft Cloud for Sovereignty Baseline Confidential Policies description: Details of the Microsoft Cloud for Sovereignty Baseline Confidential Policies Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in Microsoft Cloud for Sovereignty Baseline Confidential Policies. For more information about this compliance standard, see [Microsoft Cloud for Sovereignty Baseline Confidential Policies](/industry/sovereignty/policy-portfolio-baseline). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **Microsoft Cloud for Sovereignty Baseline Confidential Policies** controls. Many of the controls diff --git a/articles/governance/policy/samples/mcfs-baseline-global.md b/articles/governance/policy/samples/mcfs-baseline-global.md index 4a3ec3b5a0925..9d9a7deb76773 100644 --- a/articles/governance/policy/samples/mcfs-baseline-global.md +++ b/articles/governance/policy/samples/mcfs-baseline-global.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for Microsoft Cloud for Sovereignty Baseline Global Policies description: Details of the Microsoft Cloud for Sovereignty Baseline Global Policies Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in Microsoft Cloud for Sovereignty Baseline Global Policies. For more information about this compliance standard, see [Microsoft Cloud for Sovereignty Baseline Global Policies](/industry/sovereignty/policy-portfolio-baseline). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **Microsoft Cloud for Sovereignty Baseline Global Policies** controls. Many of the controls diff --git a/articles/governance/policy/samples/nist-sp-800-171-r2.md b/articles/governance/policy/samples/nist-sp-800-171-r2.md index c2aee16f55fa0..7068bc8c650e7 100644 --- a/articles/governance/policy/samples/nist-sp-800-171-r2.md +++ b/articles/governance/policy/samples/nist-sp-800-171-r2.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for NIST SP 800-171 R2 description: Details of the NIST SP 800-171 R2 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in NIST SP 800-171 R2. For more information about this compliance standard, see [NIST SP 800-171 R2](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **NIST SP 800-171 R2** controls. Many of the controls @@ -367,7 +367,7 @@ initiative definition. |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RestrictCORSAccess_WebApp_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | @@ -560,7 +560,6 @@ initiative definition. |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected Azure SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |[Implement privileged access for executing vulnerability scanning activities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b802722-71dd-a13d-2e7e-231e09589efb) |CMA_C1555 - Implement privileged access for executing vulnerability scanning activities |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_C1555.json) | |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) | |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | @@ -591,7 +590,6 @@ initiative definition. |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected Azure SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) | |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | |[Perform vulnerability scans](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f) |CMA_0393 - Perform vulnerability scans |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0393.json) | @@ -674,7 +672,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | @@ -860,7 +858,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | @@ -932,7 +930,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | @@ -991,7 +989,7 @@ initiative definition. |[Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08e6af2d-db70-460a-bfe9-d5bd474ba9d6) |Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) | |[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | |[Azure Cosmos DB accounts should have firewall rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb) |Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json) | |[Azure Key Vault should have firewall enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55615ac9-af46-4a59-874e-391cc3dfb490) |Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: [https://docs.microsoft.com/azure/key-vault/general/network-security](../../../key-vault/general/network-security.md) |Audit, Deny, Disabled |[3.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/FirewallEnabled_Audit.json) | diff --git a/articles/governance/policy/samples/nist-sp-800-53-r4.md b/articles/governance/policy/samples/nist-sp-800-53-r4.md index a86c011cd4dba..b882be9c1bf0f 100644 --- a/articles/governance/policy/samples/nist-sp-800-53-r4.md +++ b/articles/governance/policy/samples/nist-sp-800-53-r4.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for NIST SP 800-53 Rev. 4 description: Details of the NIST SP 800-53 Rev. 4 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in NIST SP 800-53 Rev. 4. For more information about this compliance standard, see [NIST SP 800-53 Rev. 4](https://nvd.nist.gov/800-53). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **NIST SP 800-53 Rev. 4** controls. Many of the controls @@ -254,7 +254,7 @@ initiative definition. |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RestrictCORSAccess_WebApp_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | @@ -3232,7 +3232,6 @@ initiative definition. |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected Azure SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) | |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | |[Perform vulnerability scans](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f) |CMA_0393 - Perform vulnerability scans |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0393.json) | @@ -3651,7 +3650,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | @@ -3713,7 +3712,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | diff --git a/articles/governance/policy/samples/nist-sp-800-53-r5.md b/articles/governance/policy/samples/nist-sp-800-53-r5.md index 6bb78261a9b60..a0f94056b9a56 100644 --- a/articles/governance/policy/samples/nist-sp-800-53-r5.md +++ b/articles/governance/policy/samples/nist-sp-800-53-r5.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for NIST SP 800-53 Rev. 5 description: Details of the NIST SP 800-53 Rev. 5 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in NIST SP 800-53 Rev. 5. For more information about this compliance standard, see [NIST SP 800-53 Rev. 5](https://nvd.nist.gov/800-53). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **NIST SP 800-53 Rev. 5** controls. Many of the controls @@ -245,7 +245,7 @@ initiative definition. |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RestrictCORSAccess_WebApp_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | @@ -3025,7 +3025,6 @@ initiative definition. |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected Azure SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) | |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | |[Perform vulnerability scans](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f) |CMA_0393 - Perform vulnerability scans |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0393.json) | @@ -3422,7 +3421,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | @@ -3484,7 +3483,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | diff --git a/articles/governance/policy/samples/nl-bio-cloud-theme.md b/articles/governance/policy/samples/nl-bio-cloud-theme.md index e5803c5edb082..26c71c6f06659 100644 --- a/articles/governance/policy/samples/nl-bio-cloud-theme.md +++ b/articles/governance/policy/samples/nl-bio-cloud-theme.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for NL BIO Cloud Theme description: Details of the NL BIO Cloud Theme Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in NL BIO Cloud Theme. For more information about this compliance standard, see [NL BIO Cloud Theme](https://www.digitaleoverheid.nl/overzicht-van-alle-onderwerpen/cybersecurity/kaders-voor-cybersecurity/baseline-informatiebeveiliging-overheid/). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **NL BIO Cloud Theme** controls. Many of the controls @@ -436,7 +436,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | @@ -534,8 +534,6 @@ initiative definition. |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected Azure SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | -|[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) | |[Endpoint protection solution should be installed on virtual machine scale sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F26a828e1-e88f-464e-bbb3-c134a282b9de) |Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json) | |[Function apps should use latest 'HTTP Version'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe2c1c086-2d84-4019-bff3-c44ccd95113c) |Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/FunctionApp_Audit_HTTP_Latest.json) | @@ -575,7 +573,7 @@ initiative definition. |[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) | |[Audit VMs that do not use managed disks](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F06a78e20-9358-41c9-923c-fb736d382a4d) |This policy audits VMs that do not use managed disks |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMRequireManagedDisk_Audit.json) | |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) | +|[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) | |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) | @@ -610,7 +608,7 @@ initiative definition. |[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) | |[Audit VMs that do not use managed disks](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F06a78e20-9358-41c9-923c-fb736d382a4d) |This policy audits VMs that do not use managed disks |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMRequireManagedDisk_Audit.json) | |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) | +|[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) | |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) | @@ -643,7 +641,7 @@ initiative definition. |[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) | |[Audit VMs that do not use managed disks](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F06a78e20-9358-41c9-923c-fb736d382a4d) |This policy audits VMs that do not use managed disks |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMRequireManagedDisk_Audit.json) | |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) | +|[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) | |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) | diff --git a/articles/governance/policy/samples/pci-dss-3-2-1.md b/articles/governance/policy/samples/pci-dss-3-2-1.md index 8222d7c16063e..43771fd80dba0 100644 --- a/articles/governance/policy/samples/pci-dss-3-2-1.md +++ b/articles/governance/policy/samples/pci-dss-3-2-1.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for PCI DSS 3.2.1 description: Details of the PCI DSS 3.2.1 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in PCI DSS 3.2.1. For more information about this compliance standard, see [PCI DSS 3.2.1](https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **PCI DSS 3.2.1** controls. Many of the controls diff --git a/articles/governance/policy/samples/pci-dss-4-0.md b/articles/governance/policy/samples/pci-dss-4-0.md index 76ccf037b9d7d..e6683c88c0399 100644 --- a/articles/governance/policy/samples/pci-dss-4-0.md +++ b/articles/governance/policy/samples/pci-dss-4-0.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for PCI DSS v4.0 description: Details of the PCI DSS v4.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in PCI DSS v4.0. For more information about this compliance standard, see [PCI DSS v4.0](https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **PCI DSS v4.0** controls. Many of the controls diff --git a/articles/governance/policy/samples/rbi-itf-banks-2016.md b/articles/governance/policy/samples/rbi-itf-banks-2016.md index 0d73041879053..9435c2b073ec3 100644 --- a/articles/governance/policy/samples/rbi-itf-banks-2016.md +++ b/articles/governance/policy/samples/rbi-itf-banks-2016.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for Reserve Bank of India IT Framework for Banks v2016 description: Details of the Reserve Bank of India IT Framework for Banks v2016 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in Reserve Bank of India IT Framework for Banks v2016. For more information about this compliance standard, see [Reserve Bank of India IT Framework for Banks v2016](https://rbidocs.rbi.org.in/rdocs/notification/PDFs/NT41893F697BC1D57443BB76AFC7AB56272EB.PDF). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **Reserve Bank of India IT Framework for Banks v2016** controls. Many of the controls @@ -186,8 +186,6 @@ initiative definition. |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | -|[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | |[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | |[SQL servers on machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6ba6d016-e7c3-4842-b8f2-4992ebc0d72d) |SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSQLVulnerabilityAssessment_Audit.json) | |[System updates on virtual machine scale sets should be installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3f317a7-a95c-4547-b7e7-11017ebdf2fe) |Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json) | @@ -205,8 +203,6 @@ initiative definition. |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| |[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) | -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | -|[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | |[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | |[SQL servers on machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6ba6d016-e7c3-4842-b8f2-4992ebc0d72d) |SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSQLVulnerabilityAssessment_Audit.json) | |[System updates on virtual machine scale sets should be installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3f317a7-a95c-4547-b7e7-11017ebdf2fe) |Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json) | @@ -224,8 +220,6 @@ initiative definition. |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| |[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) | -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | -|[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | |[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | |[SQL servers on machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6ba6d016-e7c3-4842-b8f2-4992ebc0d72d) |SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSQLVulnerabilityAssessment_Audit.json) | |[System updates on virtual machine scale sets should be installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3f317a7-a95c-4547-b7e7-11017ebdf2fe) |Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json) | @@ -251,8 +245,6 @@ initiative definition. |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected Azure SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | -|[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) | |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | |[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | @@ -518,7 +510,6 @@ initiative definition. |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | |[SQL servers on machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6ba6d016-e7c3-4842-b8f2-4992ebc0d72d) |SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSQLVulnerabilityAssessment_Audit.json) | |[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) | @@ -534,7 +525,6 @@ initiative definition. |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| |[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) | -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |[Email notification for high severity alerts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6e2593d9-add6-4083-9c9b-4b7d2188c899) |To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification.json) | |[Email notification to subscription owner for high severity alerts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b15565f-aa9e-48ba-8619-45960f2c314d) |To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification_to_subscription_owner.json) | |[Subscriptions should have a contact email address for security issues](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7) |To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Security_contact_email.json) | @@ -611,7 +601,7 @@ initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) | |[Azure Event Grid domains should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9830b652-8523-49cc-b1b3-e17dce1127ca) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Domains_PrivateEndpoint_Audit.json) | |[Azure Event Grid topics should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4b90e17e-8448-49db-875e-bd83fb6f804f) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_PrivateEndpoint_Audit.json) | @@ -780,8 +770,6 @@ initiative definition. |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | -|[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | |[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) | ### Application Security Life Cycle (Aslc)-6.3 @@ -790,8 +778,6 @@ initiative definition. |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | -|[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | |[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) | ### Application Security Life Cycle (Aslc)-6.4 @@ -820,8 +806,6 @@ initiative definition. |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | -|[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | |[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) | ### Application Security Life Cycle (Aslc)-6.7 @@ -830,8 +814,6 @@ initiative definition. |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | -|[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | |[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) | |[Web Application Firewall (WAF) should be enabled for Application Gateway](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F564feb30-bf6a-4854-b4bb-0d2d2d1e6c66) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json) | |[Web Application Firewall (WAF) should enable all firewall rules for Application Gateway](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F632d3993-e2c0-44ea-a7db-2eca131f356d) |Enabling all Web Application Firewall (WAF) rules strengthens your application security and protects your web applications against common vulnerabilities. To learn more about Web Application Firewall (WAF) with Application Gateway, visit [https://aka.ms/waf-ag](https://aka.ms/waf-ag) |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ACAT_WAF_AppGatewayAllRulesEnabled_Audit.json) | diff --git a/articles/governance/policy/samples/rbi-itf-nbfc-2017.md b/articles/governance/policy/samples/rbi-itf-nbfc-2017.md index 957a61b7e92c1..a2a47e350cc13 100644 --- a/articles/governance/policy/samples/rbi-itf-nbfc-2017.md +++ b/articles/governance/policy/samples/rbi-itf-nbfc-2017.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for Reserve Bank of India - IT Framework for NBFC description: Details of the Reserve Bank of India - IT Framework for NBFC Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in Reserve Bank of India - IT Framework for NBFC. For more information about this compliance standard, see [Reserve Bank of India - IT Framework for NBFC](https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=10999&Mode=0#C1). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **Reserve Bank of India - IT Framework for NBFC** controls. Many of the controls @@ -41,7 +41,6 @@ initiative definition. |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| |[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) | -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |[Email notification for high severity alerts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6e2593d9-add6-4083-9c9b-4b7d2188c899) |To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification.json) | |[Email notification to subscription owner for high severity alerts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b15565f-aa9e-48ba-8619-45960f2c314d) |To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification_to_subscription_owner.json) | |[Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffb893a29-21bb-418c-a157-e99480ec364c) |Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UpgradeVersion_KubernetesService_Audit.json) | @@ -259,8 +258,6 @@ initiative definition. |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| |[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) | -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | -|[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | |[Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffb893a29-21bb-418c-a157-e99480ec364c) |Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UpgradeVersion_KubernetesService_Audit.json) | |[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | |[SQL servers on machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6ba6d016-e7c3-4842-b8f2-4992ebc0d72d) |SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSQLVulnerabilityAssessment_Audit.json) | diff --git a/articles/governance/policy/samples/rmit-malaysia.md b/articles/governance/policy/samples/rmit-malaysia.md index ded26420ba4d7..395d16b46e27e 100644 --- a/articles/governance/policy/samples/rmit-malaysia.md +++ b/articles/governance/policy/samples/rmit-malaysia.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for RMIT Malaysia description: Details of the RMIT Malaysia Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in RMIT Malaysia. For more information about this compliance standard, see [RMIT Malaysia](https://www.bnm.gov.my/documents/20124/963937/Risk+Management+in+Technology+(RMiT).pdf/810b088e-6f4f-aa35-b603-1208ace33619?t=1592866162078). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **RMIT Malaysia** controls. Many of the controls @@ -511,7 +511,6 @@ initiative definition. |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| |[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) | -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) |Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) | |[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) | diff --git a/articles/governance/policy/samples/swift-csp-cscf-2021.md b/articles/governance/policy/samples/swift-csp-cscf-2021.md index c298d000698bb..29b534e42dabc 100644 --- a/articles/governance/policy/samples/swift-csp-cscf-2021.md +++ b/articles/governance/policy/samples/swift-csp-cscf-2021.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for SWIFT CSP-CSCF v2021 description: Details of the SWIFT CSP-CSCF v2021 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in SWIFT CSP-CSCF v2021. For more information about this compliance standard, see [SWIFT CSP-CSCF v2021](https://www.swift.com/myswift/customer-security-programme-csp). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **SWIFT CSP-CSCF v2021** controls. Many of the controls diff --git a/articles/governance/policy/samples/swift-csp-cscf-2022.md b/articles/governance/policy/samples/swift-csp-cscf-2022.md index bb44ed3dfb41d..d14d1c105025f 100644 --- a/articles/governance/policy/samples/swift-csp-cscf-2022.md +++ b/articles/governance/policy/samples/swift-csp-cscf-2022.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for SWIFT CSP-CSCF v2022 description: Details of the SWIFT CSP-CSCF v2022 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in SWIFT CSP-CSCF v2022. For more information about this compliance standard, see [SWIFT CSP-CSCF v2022](https://www.swift.com/myswift/customer-security-programme-csp). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **SWIFT CSP-CSCF v2022** controls. Many of the controls diff --git a/articles/governance/policy/samples/ukofficial-uknhs.md b/articles/governance/policy/samples/ukofficial-uknhs.md index aed24cc02b2e1..56f978922c7e8 100644 --- a/articles/governance/policy/samples/ukofficial-uknhs.md +++ b/articles/governance/policy/samples/ukofficial-uknhs.md @@ -1,7 +1,7 @@ --- title: Regulatory Compliance details for UK OFFICIAL and UK NHS description: Details of the UK OFFICIAL and UK NHS Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.topic: sample ms.custom: generated --- @@ -11,7 +11,7 @@ The following article details how the Azure Policy Regulatory Compliance built-i definition maps to **compliance domains** and **controls** in UK OFFICIAL and UK NHS. For more information about this compliance standard, see [UK OFFICIAL and UK NHS](https://www.gov.uk/government/publications/government-security-classifications). To understand -_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). The following mappings are to the **UK OFFICIAL and UK NHS** controls. Many of the controls diff --git a/articles/healthcare-apis/fhir/media/convert-data/convert-data-with-azure-data-factory/pipeline-errors.png b/articles/healthcare-apis/fhir/media/convert-data/convert-data-with-azure-data-factory/pipeline-errors.png index 3b6482f2917fc..1f63519cf4740 100644 Binary files a/articles/healthcare-apis/fhir/media/convert-data/convert-data-with-azure-data-factory/pipeline-errors.png and b/articles/healthcare-apis/fhir/media/convert-data/convert-data-with-azure-data-factory/pipeline-errors.png differ diff --git a/articles/healthcare-apis/fhir/media/convert-data/convert-data-with-azure-data-factory/select-launch-studio.png b/articles/healthcare-apis/fhir/media/convert-data/convert-data-with-azure-data-factory/select-launch-studio.png index fe68346c9d010..41815ae15242a 100644 Binary files a/articles/healthcare-apis/fhir/media/convert-data/convert-data-with-azure-data-factory/select-launch-studio.png and b/articles/healthcare-apis/fhir/media/convert-data/convert-data-with-azure-data-factory/select-launch-studio.png differ diff --git a/articles/healthcare-apis/fhir/media/convert-data/convert-data-with-azure-data-factory/transformed-fhir-results.png b/articles/healthcare-apis/fhir/media/convert-data/convert-data-with-azure-data-factory/transformed-fhir-results.png index 12b8c9895fcd6..f0292a05e2beb 100644 Binary files a/articles/healthcare-apis/fhir/media/convert-data/convert-data-with-azure-data-factory/transformed-fhir-results.png and b/articles/healthcare-apis/fhir/media/convert-data/convert-data-with-azure-data-factory/transformed-fhir-results.png differ diff --git a/articles/key-vault/general/developers-guide.md b/articles/key-vault/general/developers-guide.md index e311df90b9653..4354027bead2c 100644 --- a/articles/key-vault/general/developers-guide.md +++ b/articles/key-vault/general/developers-guide.md @@ -145,7 +145,7 @@ For certificates, you can use: For secrets, you can use: - Key Vault secrets with App Service application settings. For more information, see [Use Key Vault references for App Service and Azure Functions](../../app-service/app-service-key-vault-references.md). -- Key Vault secrets with the App Configuration service for applications hosted in an Azure VM. For more information, see [Configure applications with App Configuration and Key Vault](/samples/azure/azure-sdk-for-net/app-secrets-configuration/). +- Key Vault references with Azure App Configuration to streamline your application's access to configuration and secrets. For more information, see [Use Key Vault references in Azure App Configuration](../../azure-app-configuration/use-key-vault-references-dotnet-core.md). ## Code examples diff --git a/articles/machine-learning/v1/how-to-train-keras.md b/articles/machine-learning/v1/how-to-train-keras.md index 3ffb1dfe77e9a..6cd06860566d9 100644 --- a/articles/machine-learning/v1/how-to-train-keras.md +++ b/articles/machine-learning/v1/how-to-train-keras.md @@ -7,7 +7,7 @@ ms.service: machine-learning ms.subservice: training ms.author: balapv author: balapv -ms.reviewer: mopeakande +ms.reviewer: sgilley ms.date: 11/04/2022 ms.topic: how-to ms.custom: UpdateFrequency5, sdkv1 diff --git a/articles/machine-learning/v1/how-to-train-pytorch.md b/articles/machine-learning/v1/how-to-train-pytorch.md index d03530733d6f5..a7cefd6eacaf4 100644 --- a/articles/machine-learning/v1/how-to-train-pytorch.md +++ b/articles/machine-learning/v1/how-to-train-pytorch.md @@ -7,7 +7,7 @@ ms.service: machine-learning ms.subservice: training ms.author: balapv author: balapv -ms.reviewer: mopeakande +ms.reviewer: sgilley ms.date: 11/04/2022 ms.topic: how-to ms.custom: UpdateFrequency5, sdkv1 diff --git a/articles/machine-learning/v1/how-to-train-scikit-learn.md b/articles/machine-learning/v1/how-to-train-scikit-learn.md index 04d8b6efd5019..d5b1d54406255 100644 --- a/articles/machine-learning/v1/how-to-train-scikit-learn.md +++ b/articles/machine-learning/v1/how-to-train-scikit-learn.md @@ -7,7 +7,7 @@ ms.service: machine-learning ms.subservice: training ms.author: balapv author: balapv -ms.reviewer: mopeakande +ms.reviewer: sgilley ms.date: 11/04/2022 ms.topic: how-to ms.custom: UpdateFrequency5, sdkv1 diff --git a/articles/machine-learning/v1/how-to-train-tensorflow.md b/articles/machine-learning/v1/how-to-train-tensorflow.md index 58d34cb81209a..1be156ea8bf96 100644 --- a/articles/machine-learning/v1/how-to-train-tensorflow.md +++ b/articles/machine-learning/v1/how-to-train-tensorflow.md @@ -7,7 +7,7 @@ ms.service: machine-learning ms.subservice: training ms.author: balapv author: balapv -ms.reviewer: mopeakande +ms.reviewer: sgilley ms.date: 11/04/2022 ms.topic: how-to ms.custom: UpdateFrequency5, sdkv1 diff --git a/articles/nat-gateway/nat-metrics.md b/articles/nat-gateway/nat-metrics.md index fdeb85dfde88c..4adb99ddf9909 100644 --- a/articles/nat-gateway/nat-metrics.md +++ b/articles/nat-gateway/nat-metrics.md @@ -176,7 +176,7 @@ Possible reasons for failed connections: - A pattern of failed connections can happen for various reasons. See the [NAT gateway connectivity troubleshooting guide](/azure/nat-gateway/troubleshoot-nat-connectivity) to help you further diagnose. >[!NOTE] -> When NAT gateway is attached to a subnet and public IP address, the Azure platform verifies NAT gateway is healthy by conducting health checks. These health checks may appear in NAT gateway’s SNAT connection metrics, but are negligible and don’t impact NAT gateway’s ability to connect outbound. +> When NAT gateway is attached to a subnet and public IP address, the Azure platform verifies NAT gateway is healthy by conducting health checks. The amount of health check related connections may vary as the health check service is optimized, but is negligible and doesn’t impact NAT gateway’s ability to connect outbound. ### Datapath availability diff --git a/articles/network-watcher/.openpublishing.redirection.network-watcher.json b/articles/network-watcher/.openpublishing.redirection.network-watcher.json index cdbfc363bb663..50cdefcca8f0e 100644 --- a/articles/network-watcher/.openpublishing.redirection.network-watcher.json +++ b/articles/network-watcher/.openpublishing.redirection.network-watcher.json @@ -1,5 +1,10 @@ { "redirections": [ + { + "source_path_from_root": "/articles/network-watcher/network-watcher-connectivity-cli.md", + "redirect_url": "/azure/network-watcher/connection-troubleshoot-cli", + "redirect_document_id": true + }, { "source_path_from_root": "/articles/network-watcher/network-watcher-nsg-flow-logging-overview.md", "redirect_url": "/azure/network-watcher/nsg-flow-logs-overview", diff --git a/articles/network-watcher/network-watcher-connectivity-cli.md b/articles/network-watcher/connection-troubleshoot-cli.md similarity index 100% rename from articles/network-watcher/network-watcher-connectivity-cli.md rename to articles/network-watcher/connection-troubleshoot-cli.md diff --git a/articles/network-watcher/diagnose-vm-network-routing-problem-cli.md b/articles/network-watcher/diagnose-vm-network-routing-problem-cli.md index 2726416f3ad5e..1cb5c57c7ea10 100644 --- a/articles/network-watcher/diagnose-vm-network-routing-problem-cli.md +++ b/articles/network-watcher/diagnose-vm-network-routing-problem-cli.md @@ -154,4 +154,4 @@ az group delete --name myResourceGroup --yes In this article, you created a VM and diagnosed network routing from the VM. You learned that Azure creates several default routes and tested routing to two different destinations. Learn more about [routing in Azure](../virtual-network/virtual-networks-udr-overview.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json) and how to [create custom routes](../virtual-network/manage-route-table.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json#create-a-route). -For outbound VM connections, you can also determine the latency and allowed and denied network traffic between the VM and an endpoint using Network Watcher's [connection troubleshoot](network-watcher-connectivity-cli.md) capability. You can monitor communication between a VM and an endpoint, such as an IP address or URL over time using the Network Watcher connection monitor capability. For more information, see [Monitor a network connection](monitor-vm-communication.md). +For outbound VM connections, you can also determine the latency and allowed and denied network traffic between the VM and an endpoint using Network Watcher's [connection troubleshoot](connection-troubleshoot-cli.md) capability. You can monitor communication between a VM and an endpoint, such as an IP address or URL over time using the Network Watcher connection monitor capability. For more information, see [Monitor a network connection](monitor-vm-communication.md). diff --git a/articles/network-watcher/network-watcher-analyze-nsg-flow-logs-graylog.md b/articles/network-watcher/network-watcher-analyze-nsg-flow-logs-graylog.md index 5b0466833c9cc..5bb12e7127fc0 100644 --- a/articles/network-watcher/network-watcher-analyze-nsg-flow-logs-graylog.md +++ b/articles/network-watcher/network-watcher-analyze-nsg-flow-logs-graylog.md @@ -15,12 +15,12 @@ ms.custom: engagement-fy23, linux-related-content > [!CAUTION] > This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. -[Network security group flow logs](network-watcher-nsg-flow-logging-overview.md) provide information that you can use to understand ingress and egress IP traffic for Azure network interfaces. Flow logs show outbound and inbound flows on a per network security group rule basis, the network interface the flow applies to, 5-tuple information (Source/Destination IP, Source/Destination Port, Protocol) about the flow, and if the traffic was allowed or denied. +[Network security group flow logs](nsg-flow-logs-overview.md) provide information that you can use to understand ingress and egress IP traffic for Azure network interfaces. Flow logs show outbound and inbound flows on a per network security group rule basis, the network interface the flow applies to, 5-tuple information (Source/Destination IP, Source/Destination Port, Protocol) about the flow, and if the traffic was allowed or denied. You can have many network security groups in your network with flow logging enabled. Several network security groups with flow logging enabled can make it cumbersome to parse and gain insights from your logs. This article provides a solution to centrally manage these network security group flow logs using Graylog, an open source log management and analysis tool, and Logstash, an open source server-side data processing pipeline. > [!Warning] -> The following steps work with flow logs version 1. For details, see [Introduction to flow logging for network security groups](network-watcher-nsg-flow-logging-overview.md). The following instructions will not work with version 2 of the log files, without modification. +> The following steps work with flow logs version 1. For details, see [Introduction to flow logging for network security groups](nsg-flow-logs-overview.md). The following instructions will not work with version 2 of the log files, without modification. ## Scenario @@ -33,7 +33,7 @@ Network security group flow logs are enabled using Network Watcher. Flow logs fl ### Enable network security group flow logging For this scenario, you must have network security group flow logging enabled on at least one network security group in your account. For instructions on -enabling network security group flow logs, refer to the following article [Introduction to flow logging for network security groups](network-watcher-nsg-flow-logging-overview.md). +enabling network security group flow logs, refer to the following article [Introduction to flow logging for network security groups](nsg-flow-logs-overview.md). ### Setting up Graylog diff --git a/articles/network-watcher/network-watcher-connectivity-rest.md b/articles/network-watcher/network-watcher-connectivity-rest.md index bc5b13a60887c..0b5c98de41eca 100644 --- a/articles/network-watcher/network-watcher-connectivity-rest.md +++ b/articles/network-watcher/network-watcher-connectivity-rest.md @@ -12,12 +12,6 @@ ms.author: halkazwini # Troubleshoot connections with Azure Network Watcher using the Azure REST API -> [!div class="op_single_selector"] -> - [Portal](network-watcher-connectivity-portal.md) -> - [PowerShell](network-watcher-connectivity-powershell.md) -> - [Azure CLI](network-watcher-connectivity-cli.md) -> - [Azure REST API](network-watcher-connectivity-rest.md) - Learn how to use connection troubleshoot to verify whether a direct TCP connection from a virtual machine to a given endpoint can be established. ## Before you begin diff --git a/articles/network-watcher/network-watcher-create.md b/articles/network-watcher/network-watcher-create.md index ee10d1c6bb587..42798f85984f4 100644 --- a/articles/network-watcher/network-watcher-create.md +++ b/articles/network-watcher/network-watcher-create.md @@ -229,6 +229,6 @@ az network watcher list --out table To learn more about Network Watcher features, see: -- [NSG flow logs](network-watcher-nsg-flow-logging-overview.md) +- [NSG flow logs](nsg-flow-logs-overview.md) - [Connection monitor](connection-monitor-overview.md) -- [Connection troubleshoot](network-watcher-connectivity-overview.md) +- [Connection troubleshoot](connection-troubleshoot-overview.md) diff --git a/articles/network-watcher/network-watcher-nsg-grafana.md b/articles/network-watcher/network-watcher-nsg-grafana.md index 45894cafbe44e..fcad61fe6b2e2 100644 --- a/articles/network-watcher/network-watcher-nsg-grafana.md +++ b/articles/network-watcher/network-watcher-nsg-grafana.md @@ -15,7 +15,7 @@ ms.custom: engagement-fy23, linux-related-content > [!CAUTION] > This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. -[Network Security Group (NSG) flow logs](network-watcher-nsg-flow-logging-overview.md) provide information that can be used to understand ingress and egress IP traffic on network interfaces. These flow logs show outbound and inbound flows on a per NSG rule basis, the NIC the flow applies to, 5-tuple information about the flow (Source/Destination IP, Source/Destination Port, Protocol), and if the traffic was allowed or denied. +[Network Security Group (NSG) flow logs](nsg-flow-logs-overview.md) provide information that can be used to understand ingress and egress IP traffic on network interfaces. These flow logs show outbound and inbound flows on a per NSG rule basis, the NIC the flow applies to, 5-tuple information about the flow (Source/Destination IP, Source/Destination Port, Protocol), and if the traffic was allowed or denied. You can have many NSGs in your network with flow logging enabled. This amount of logging data makes it cumbersome to parse and gain insights from your logs. This article provides a solution to centrally manage these NSG flow logs using Grafana, an open source graphing tool, ElasticSearch, a distributed search and analytics engine, and Logstash, which is an open source server-side data processing pipeline. @@ -29,7 +29,7 @@ NSG flow logs are enabled using Network Watcher and are stored in Azure blob sto ### Enable Network Security Group flow logging -For this scenario, you must have Network Security Group Flow Logging enabled on at least one Network Security Group in your account. For instructions on enabling Network Security Flow Logs, refer to the following article [Introduction to flow logging for Network Security Groups](network-watcher-nsg-flow-logging-overview.md). +For this scenario, you must have Network Security Group Flow Logging enabled on at least one Network Security Group in your account. For instructions on enabling Network Security Flow Logs, refer to the following article [Introduction to flow logging for Network Security Groups](nsg-flow-logs-overview.md). ### Setup considerations diff --git a/articles/network-watcher/network-watcher-read-nsg-flow-logs.md b/articles/network-watcher/network-watcher-read-nsg-flow-logs.md index 0d1bac7a969d0..fefcc34c787d8 100644 --- a/articles/network-watcher/network-watcher-read-nsg-flow-logs.md +++ b/articles/network-watcher/network-watcher-read-nsg-flow-logs.md @@ -22,7 +22,7 @@ In the following scenario, you have an example flow log that is stored in a stor ## Setup -Before you begin, you must have Network Security Group Flow Logging enabled on one or many Network Security Groups in your account. For instructions on enabling Network Security flow logs, refer to the following article: [Introduction to flow logging for Network Security Groups](network-watcher-nsg-flow-logging-overview.md). +Before you begin, you must have Network Security Group Flow Logging enabled on one or many Network Security Groups in your account. For instructions on enabling Network Security flow logs, refer to the following article: [Introduction to flow logging for Network Security Groups](nsg-flow-logs-overview.md). ## Retrieve the block list diff --git a/articles/network-watcher/network-watcher-using-open-source-tools.md b/articles/network-watcher/network-watcher-using-open-source-tools.md index e5126552eaab2..3fd3006242001 100644 --- a/articles/network-watcher/network-watcher-using-open-source-tools.md +++ b/articles/network-watcher/network-watcher-using-open-source-tools.md @@ -87,7 +87,7 @@ You can use the Network Watcher packet capture feature to capture the necessary ## Next steps -- Learn about [NSG flow logs](network-watcher-nsg-flow-logging-overview.md). +- Learn about [NSG flow logs](nsg-flow-logs-overview.md). - Learn [how to visualize your NSG flow logs by using Power BI](network-watcher-visualize-nsg-flow-logs-power-bi.md). diff --git a/articles/network-watcher/network-watcher-visualize-nsg-flow-logs-open-source-tools.md b/articles/network-watcher/network-watcher-visualize-nsg-flow-logs-open-source-tools.md index 50d4f5f905238..3e6ac9be1003d 100644 --- a/articles/network-watcher/network-watcher-visualize-nsg-flow-logs-open-source-tools.md +++ b/articles/network-watcher/network-watcher-visualize-nsg-flow-logs-open-source-tools.md @@ -30,7 +30,7 @@ In this article, we set up a solution that allows you to visualize Network Secur ### Enable Network Security Group flow logging -For this scenario, you must have Network Security Group Flow Logging enabled on at least one Network Security Group in your account. For instructions on enabling Network Security Flow Logs, see the following article [Introduction to flow logging for Network Security Groups](network-watcher-nsg-flow-logging-overview.md). +For this scenario, you must have Network Security Group Flow Logging enabled on at least one Network Security Group in your account. For instructions on enabling Network Security Flow Logs, see the following article [Introduction to flow logging for Network Security Groups](nsg-flow-logs-overview.md). ### Set up the Elastic Stack diff --git a/articles/network-watcher/network-watcher-visualize-nsg-flow-logs-power-bi.md b/articles/network-watcher/network-watcher-visualize-nsg-flow-logs-power-bi.md index 7047503a3ab2a..498bfb21b809a 100644 --- a/articles/network-watcher/network-watcher-visualize-nsg-flow-logs-power-bi.md +++ b/articles/network-watcher/network-watcher-visualize-nsg-flow-logs-power-bi.md @@ -18,7 +18,7 @@ Network Security Group flow logs allow you to view information about ingress and It can be difficult to gain insights into flow logging data by manually searching the log files. In this article, we provide a solution to visualize your most recent flow logs and learn about traffic on your network. > [!Warning] -> The following steps work with flow logs version 1. For details, see [Introduction to flow logging for network security groups](network-watcher-nsg-flow-logging-overview.md). The following instructions will not work with version 2 of the log files, without modification. +> The following steps work with flow logs version 1. For details, see [Introduction to flow logging for network security groups](nsg-flow-logs-overview.md). The following instructions will not work with version 2 of the log files, without modification. ## Scenario @@ -36,7 +36,7 @@ The template provided is editable so you can modify it to add new data, visuals, ## Setup -Before you begin, you must have Network Security Group Flow Logging enabled on one or many Network Security Groups in your account. For instructions on enabling Network Security flow logs, refer to the following article: [Introduction to flow logging for Network Security Groups](network-watcher-nsg-flow-logging-overview.md). +Before you begin, you must have Network Security Group Flow Logging enabled on one or many Network Security Groups in your account. For instructions on enabling Network Security flow logs, refer to the following article: [Introduction to flow logging for Network Security Groups](nsg-flow-logs-overview.md). You must also have the Power BI Desktop client installed on your machine, and enough free space on your machine to download and load the log data that exists in your storage account. @@ -44,7 +44,7 @@ You must also have the Power BI Desktop client installed on your machine, and en ### Steps -1. Download and open the following Power BI template in the Power BI Desktop Application [Network Watcher PowerBI flow logs template](https://aka.ms/networkwatcherflowlogspowerbitemplate) +1. Download and open the following Power BI template in the Power BI Desktop Application [Network Watcher Power BI flow logs template](https://aka.ms/networkwatcherflowlogspowerbitemplate) 1. Enter the required Query parameters 1. **StorageAccountName** – Specifies to the name of the storage account containing the NSG flow logs that you would like to load and visualize. 1. **NumberOfLogFiles** – Specifies the number of log files that you would like to download and visualize in Power BI. For example, if 50 is specified, the 50 latest log files. If we have 2 NSGs enabled and configured to send NSG flow logs to this account, then the past 25 hours of logs can be viewed. @@ -61,7 +61,7 @@ You must also have the Power BI Desktop client installed on your machine, and en ## Understanding the visuals -Provided in the template are a set of visuals that help make sense of the NSG Flow Log data. The following images show a sample of what the dashboard looks like when populated with data. Below we examine each visual in greater detail +Provided in the template are a set of visuals that help make sense of the NSG Flow Log data. The following images show a sample of what the dashboard looks like when populated with data. Below we examine each visual in greater detail. ![powerbi][5] @@ -91,7 +91,7 @@ The following informational charts display information about the NSGs present in ![infochart2][12] -This template includes the following slicers to allow you to view only the data you are most interested in. You can filter on your resource groups, NSGs, and rules. You can also filter on 5-tuple information, decision, and the time the log was written. +This template includes the following slicers to allow you to view only the data you're most interested in. You can filter on your resource groups, NSGs, and rules. You can also filter on 5-tuple information, decision, and the time the log was written. ![slicers][13] @@ -107,7 +107,7 @@ Feel free to customize this template for your needs. There are many numerous way * If other data exists in another directory they the queries to pull and process the data must be modified. -* The provided template is not recommended for use with more than 1 GB of logs. +* The provided template isn't recommended for use with more than 1 GB of logs. * If you have a large amount of logs, we recommend that you investigate a solution using another data store like Data Lake or SQL server. diff --git a/articles/network-watcher/nsg-flow-logs-azure-resource-manager.md b/articles/network-watcher/nsg-flow-logs-azure-resource-manager.md index bacc418ac611b..a06929760f71d 100644 --- a/articles/network-watcher/nsg-flow-logs-azure-resource-manager.md +++ b/articles/network-watcher/nsg-flow-logs-azure-resource-manager.md @@ -14,7 +14,7 @@ ms.custom: devx-track-arm-template, fasttrack-edit Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see [NSG flow logs overview](nsg-flow-logs-overview.md). -In this article, you learn how to manage NSG flow logs programmatically using an Azure Resource Manager template and Azure PowerShell. You can learn how to manage an NSG flow log using the [Azure portal](nsg-flow-logging.md), [PowerShell](nsg-flow-logs-powershell.md), [Azure CLI](nsg-flow-logs-cli.md), or [REST API](nsg-flow-logs-rest.md). +In this article, you learn how to manage NSG flow logs programmatically using an Azure Resource Manager template and Azure PowerShell. You can learn how to manage an NSG flow log using the [Azure portal](nsg-flow-logs-portal.md), [PowerShell](nsg-flow-logs-powershell.md), [Azure CLI](nsg-flow-logs-cli.md), or [REST API](nsg-flow-logs-rest.md). An [Azure Resource Manager template](../azure-resource-manager/templates/overview.md) is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project using declarative syntax. diff --git a/articles/network-watcher/nsg-flow-logs-cli.md b/articles/network-watcher/nsg-flow-logs-cli.md index 6b22c72074920..822b91f4a4a7c 100644 --- a/articles/network-watcher/nsg-flow-logs-cli.md +++ b/articles/network-watcher/nsg-flow-logs-cli.md @@ -14,7 +14,7 @@ ms.custom: devx-track-azurecli Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see [NSG flow logs overview](nsg-flow-logs-overview.md). -In this article, you learn how to create, change, disable, or delete an NSG flow log using the Azure CLI. You can learn how to manage an NSG flow log using the [Azure portal](nsg-flow-logging.md), [PowerShell](nsg-flow-logs-powershell.md), [REST API](nsg-flow-logs-rest.md), or [ARM template](nsg-flow-logs-azure-resource-manager.md). +In this article, you learn how to create, change, disable, or delete an NSG flow log using the Azure CLI. You can learn how to manage an NSG flow log using the [Azure portal](nsg-flow-logs-portal.md), [PowerShell](nsg-flow-logs-powershell.md), [REST API](nsg-flow-logs-rest.md), or [ARM template](nsg-flow-logs-azure-resource-manager.md). ## Prerequisites diff --git a/articles/network-watcher/nsg-flow-logs-overview.md b/articles/network-watcher/nsg-flow-logs-overview.md index b506e9a55bc00..55f008c9162eb 100644 --- a/articles/network-watcher/nsg-flow-logs-overview.md +++ b/articles/network-watcher/nsg-flow-logs-overview.md @@ -415,8 +415,8 @@ To learn how to create, change, disable, or delete NSG flow logs, see one of the To learn how to read and export NSG flow logs, see one of the following guides: -- [Download and view flow logs from the portal](./nsg-flow-logging.md#download-a-flow-log) -- [Read flow logs by using PowerShell functions](./network-watcher-read-nsg-flow-logs.md) +- [Download and view flow logs from the portal](nsg-flow-logs-portal.md#download-a-flow-log) +- [Read flow logs by using PowerShell functions](network-watcher-read-nsg-flow-logs.md) - [Export NSG flow logs to Splunk](https://www.splunk.com/en_us/blog/platform/splunking-azure-nsg-flow-logs.html) NSG flow log files are stored in a storage account at the following path: diff --git a/articles/network-watcher/nsg-flow-logs-policy-portal.md b/articles/network-watcher/nsg-flow-logs-policy-portal.md index e4ee43374750e..7506ea667dcc4 100644 --- a/articles/network-watcher/nsg-flow-logs-policy-portal.md +++ b/articles/network-watcher/nsg-flow-logs-policy-portal.md @@ -128,6 +128,6 @@ To assign the *deployIfNotExists* policy: ## Next steps -- To learn more about NSG flow logs, see [Flow logs for network security groups](./network-watcher-nsg-flow-logging-overview.md). -- To learn about using built-in policies with traffic analytics, see [Manage traffic analytics using Azure Policy](./traffic-analytics-policy-portal.md). -- To learn how to use an Azure Resource Manager (ARM) template to deploy flow logs and traffic analytics, see [Configure NSG flow logs using an Azure Resource Manager template](./quickstart-configure-network-security-group-flow-logs-from-arm-template.md). +- To learn more about NSG flow logs, see [Flow logs for network security groups](nsg-flow-logs-overview.md). +- To learn about using built-in policies with traffic analytics, see [Manage traffic analytics using Azure Policy](traffic-analytics-policy-portal.md). +- To learn how to use an Azure Resource Manager (ARM) template to deploy flow logs and traffic analytics, see [Configure NSG flow logs using an Azure Resource Manager template](quickstart-configure-network-security-group-flow-logs-from-arm-template.md). diff --git a/articles/network-watcher/nsg-flow-logs-powershell.md b/articles/network-watcher/nsg-flow-logs-powershell.md index cf32e4c373520..11dd291a1453d 100644 --- a/articles/network-watcher/nsg-flow-logs-powershell.md +++ b/articles/network-watcher/nsg-flow-logs-powershell.md @@ -14,7 +14,7 @@ ms.custom: devx-track-azurepowershell Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see [NSG flow logs overview](nsg-flow-logs-overview.md). -In this article, you learn how to create, change, disable, or delete an NSG flow log using Azure PowerShell. You can learn how to manage an NSG flow log using the [Azure portal](nsg-flow-logging.md), [Azure CLI](nsg-flow-logs-cli.md), [REST API](nsg-flow-logs-rest.md), or [ARM template](nsg-flow-logs-azure-resource-manager.md). +In this article, you learn how to create, change, disable, or delete an NSG flow log using Azure PowerShell. You can learn how to manage an NSG flow log using the [Azure portal](nsg-flow-logs-portal.md), [Azure CLI](nsg-flow-logs-cli.md), [REST API](nsg-flow-logs-rest.md), or [ARM template](nsg-flow-logs-azure-resource-manager.md). ## Prerequisites diff --git a/articles/network-watcher/nsg-flow-logs-rest.md b/articles/network-watcher/nsg-flow-logs-rest.md index 9d8d8250a5b8f..1a35f28aa7da4 100644 --- a/articles/network-watcher/nsg-flow-logs-rest.md +++ b/articles/network-watcher/nsg-flow-logs-rest.md @@ -13,7 +13,7 @@ ms.date: 06/01/2023 Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see [NSG flow logs overview](nsg-flow-logs-overview.md). -This article shows you how to use the REST API to enable, disable, and query flow logs using the REST API. You can learn how to manage an NSG flow log using the [Azure portal](nsg-flow-logging.md), [PowerShell](nsg-flow-logs-powershell.md), [Azure CLI](nsg-flow-logs-cli.md), or [ARM template](nsg-flow-logs-azure-resource-manager.md). +This article shows you how to use the REST API to enable, disable, and query flow logs using the REST API. You can learn how to manage an NSG flow log using the [Azure portal](nsg-flow-logs-portal.md), [PowerShell](nsg-flow-logs-powershell.md), [Azure CLI](nsg-flow-logs-cli.md), or [ARM template](nsg-flow-logs-azure-resource-manager.md). In this article, uou learn how to: diff --git a/articles/network-watcher/nsg-flow-logs-tutorial.md b/articles/network-watcher/nsg-flow-logs-tutorial.md index 0a2825e50df6b..af6b85391d159 100644 --- a/articles/network-watcher/nsg-flow-logs-tutorial.md +++ b/articles/network-watcher/nsg-flow-logs-tutorial.md @@ -12,7 +12,7 @@ ms.date: 09/26/2023 # Tutorial: Log network traffic to and from a virtual machine using the Azure portal -Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see [NSG flow logs overview](network-watcher-nsg-flow-logging-overview.md). +Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see [NSG flow logs overview](nsg-flow-logs-overview.md). This tutorial helps you use NSG flow logs to log a virtual machine's network traffic that flows through the [network security group](../virtual-network/network-security-groups-overview.md) associated to its network interface. @@ -285,7 +285,7 @@ When no longer needed, delete **myResourceGroup** resource group and all of the ## Related content -- To learn more about NSG flow logs, see [Flow logging for network security groups](network-watcher-nsg-flow-logging-overview.md). -- To learn how to create, change, enable, disable, or delete NSG flow logs, see [Manage NSG flow logs](nsg-flow-logging.md). +- To learn more about NSG flow logs, see [Flow logging for network security groups](nsg-flow-logs-overview.md). +- To learn how to create, change, enable, disable, or delete NSG flow logs, see [Manage NSG flow logs](nsg-flow-logs-portal.md). - To learn about Traffic analytics, see [Traffic analytics overview](traffic-analytics.md). diff --git a/articles/network-watcher/quickstart-configure-network-security-group-flow-logs-from-arm-template.md b/articles/network-watcher/quickstart-configure-network-security-group-flow-logs-from-arm-template.md index bc332d6d3d70e..203645c10dcbd 100644 --- a/articles/network-watcher/quickstart-configure-network-security-group-flow-logs-from-arm-template.md +++ b/articles/network-watcher/quickstart-configure-network-security-group-flow-logs-from-arm-template.md @@ -14,7 +14,7 @@ ms.custom: devx-track-azurepowershell, subject-armqs, mode-arm, devx-track-arm-t # Quickstart: Configure Azure Network Watcher NSG flow logs using an Azure Resource Manager (ARM) template -In this quickstart, you learn how to enable NSG flow logs using an Azure Resource Manager (ARM) template and Azure PowerShell. For more information, see [What is Azure Resource Manager?](../azure-resource-manager/management/overview.md) and [NSG flow logs overview](network-watcher-nsg-flow-logging-overview.md). +In this quickstart, you learn how to enable NSG flow logs using an Azure Resource Manager (ARM) template and Azure PowerShell. For more information, see [What is Azure Resource Manager?](../azure-resource-manager/management/overview.md) and [NSG flow logs overview](nsg-flow-logs-overview.md). [!INCLUDE [About Azure Resource Manager](../../includes/resource-manager-quickstart-introduction.md)] @@ -81,7 +81,7 @@ You can also disable or delete a flow log in the Azure portal: 1. In **Network Watcher | Flow logs**, select the checkbox of the flow log that you want to delete. -1. Select **Disable** or **Delete**. For more information, see [Disable a flow log](nsg-flow-logging.md#disable-a-flow-log) or [Delete a flow log](nsg-flow-logging.md#delete-a-flow-log). +1. Select **Disable** or **Delete**. For more information, see [Disable a flow log](nsg-flow-logs-portal.md#disable-a-flow-log) or [Delete a flow log](nsg-flow-logs-portal.md#delete-a-flow-log). ## Related content diff --git a/articles/network-watcher/quickstart-configure-network-security-group-flow-logs-from-bicep.md b/articles/network-watcher/quickstart-configure-network-security-group-flow-logs-from-bicep.md index 47a365dc23c1a..947b43fcfb7dd 100644 --- a/articles/network-watcher/quickstart-configure-network-security-group-flow-logs-from-bicep.md +++ b/articles/network-watcher/quickstart-configure-network-security-group-flow-logs-from-bicep.md @@ -14,7 +14,7 @@ ms.custom: devx-track-bicep, subject-bicepqs, mode-arm # Quickstart: Configure Azure Network Watcher NSG flow logs using a Bicep file -In this quickstart, you learn how to enable [NSG flow logs](network-watcher-nsg-flow-logging-overview.md) using a Bicep file +In this quickstart, you learn how to enable [NSG flow logs](nsg-flow-logs-overview.md) using a Bicep file. [!INCLUDE [About Bicep](../../includes/resource-manager-quickstart-bicep-introduction.md)] diff --git a/articles/network-watcher/toc.yml b/articles/network-watcher/toc.yml index 6407e3660430f..01ae887de6b9d 100644 --- a/articles/network-watcher/toc.yml +++ b/articles/network-watcher/toc.yml @@ -132,7 +132,7 @@ - name: PowerShell href: connection-troubleshoot-powershell.md - name: Azure CLI - href: network-watcher-connectivity-cli.md + href: connection-troubleshoot-cli.md - name: REST href: network-watcher-connectivity-rest.md - name: Diagnose VPN gateway and connections diff --git a/articles/network-watcher/traffic-analytics.md b/articles/network-watcher/traffic-analytics.md index b61330de3fa4a..4f2b63ae84f6b 100644 --- a/articles/network-watcher/traffic-analytics.md +++ b/articles/network-watcher/traffic-analytics.md @@ -63,7 +63,7 @@ To use traffic analytics, you need the following components: - **Log Analytics workspace**: The environment that stores Azure Monitor log data that pertains to an Azure account. For more information about Log Analytics workspaces, see [Overview of Log Analytics workspace](../azure-monitor/logs/log-analytics-workspace-overview.md?toc=/azure/network-watcher/toc.json). -- Additionally, you need a network security group enabled for flow logging if you're using traffic analytics to analyze [NSG flow logs](network-watcher-nsg-flow-logging-overview.md) or a virtual network enabled for flow logging if you're using traffic analytics to analyze [VNet flow logs (preview)](vnet-flow-logs-overview.md): +- Additionally, you need a network security group enabled for flow logging if you're using traffic analytics to analyze [NSG flow logs](nsg-flow-logs-overview.md) or a virtual network enabled for flow logging if you're using traffic analytics to analyze [VNet flow logs (preview)](vnet-flow-logs-overview.md): - **Network security group (NSG)**: A resource that contains a list of security rules that allow or deny network traffic to or from resources that are connected to an Azure virtual network. Network security groups can be associated with subnets, network interfaces (NICs) that are attached to VMs (Resource Manager), or individual VMs (classic). For more information, see [Network security group overview](../virtual-network/network-security-groups-overview.md?toc=/azure/network-watcher/toc.json). @@ -74,7 +74,7 @@ To use traffic analytics, you need the following components: - Information about the flow, such as the source and destination IP addresses, the source and destination ports, and the protocol. - The status of the traffic, such as allowed or denied. - For more information about NSG flow logs, see [NSG flow logs overview](network-watcher-nsg-flow-logging-overview.md). + For more information about NSG flow logs, see [NSG flow logs overview](nsg-flow-logs-overview.md). - **Virtual network (VNet)**: A resource that enables many types of Azure resources to securely communicate with each other, the internet, and on-premises networks. For more information, see [Virtual network overview](../virtual-network/virtual-networks-overview.md?toc=/azure/network-watcher/toc.json). @@ -104,7 +104,7 @@ Reduced logs are enhanced with geography, security, and topology information and Traffic analytics requires the following prerequisites: - A Network Watcher enabled subscription. For more information, see [Enable or disable Azure Network Watcher](network-watcher-create.md). -- NSG flow logs enabled for the network security groups you want to monitor or VNet flow logs enabled for the virtual network you want to monitor. For more information, see [Create a flow log](nsg-flow-logging.md#create-a-flow-log) or [Enable VNet flow logs](vnet-flow-logs-powershell.md#enable-vnet-flow-logs). +- NSG flow logs enabled for the network security groups you want to monitor or VNet flow logs enabled for the virtual network you want to monitor. For more information, see [Create a flow log](nsg-flow-logs-portal.md#create-a-flow-log) or [Enable VNet flow logs](vnet-flow-logs-powershell.md#enable-vnet-flow-logs). - An Azure Log Analytics workspace with read and write access. For more information, see [Create a Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md?toc=/azure/network-watcher/toc.json). - One of the following [Azure built-in roles](../role-based-access-control/built-in-roles.md) needs to be assigned to your account: diff --git a/articles/network-watcher/vnet-flow-logs-overview.md b/articles/network-watcher/vnet-flow-logs-overview.md index 73cb69bbb33d7..4120caa831cc4 100644 --- a/articles/network-watcher/vnet-flow-logs-overview.md +++ b/articles/network-watcher/vnet-flow-logs-overview.md @@ -16,7 +16,7 @@ ms.custom: references_regions Virtual network (VNet) flow logs are a feature of Azure Network Watcher. You can use them to log information about IP traffic flowing through a virtual network. -Flow data from VNet flow logs is sent to Azure Storage. From there, you can access the data and export it to any visualization tool, security information and event management (SIEM) solution, or intrusion detection system (IDS). VNet flow logs overcome some of the limitations of [NSG flow logs](network-watcher-nsg-flow-logging-overview.md). +Flow data from VNet flow logs is sent to Azure Storage. From there, you can access the data and export it to any visualization tool, security information and event management (SIEM) solution, or intrusion detection system (IDS). VNet flow logs overcome some of the limitations of [NSG flow logs](nsg-flow-logs-overview.md). > [!IMPORTANT] > The VNet flow logs feature is currently in preview. This preview version is provided without a service-level agreement, and we don't recommend it for production workloads. Certain features might not be supported or might have constrained capabilities. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). @@ -54,11 +54,11 @@ Flow logs are the source of truth for all network activity in your cloud environ ## VNet flow logs compared to NSG flow logs -Both VNet flow logs and [NSG flow logs](network-watcher-nsg-flow-logging-overview.md) record IP traffic, but they differ in their behavior and capabilities. +Both VNet flow logs and [NSG flow logs](nsg-flow-logs-overview.md) record IP traffic, but they differ in their behavior and capabilities. VNet flow logs simplify the scope of traffic monitoring because you can enable logging at [virtual networks](../virtual-network/virtual-networks-overview.md). Traffic through all supported workloads within a virtual network is recorded. -VNet flow logs also avoid the need to enable multiple-level flow logging, such as in [NSG flow logs](network-watcher-nsg-flow-logging-overview.md#best-practices). In NSG flow logs, network security groups are configured at both the subnet and the network interface (NIC). +VNet flow logs also avoid the need to enable multiple-level flow logging, such as in [NSG flow logs](nsg-flow-logs-overview.md#best-practices). In NSG flow logs, network security groups are configured at both the subnet and the network interface (NIC). In addition to existing support to identify traffic that [network security group rules](../virtual-network/network-security-groups-overview.md) allow or deny, VNet flow logs support identification of traffic that [Azure Virtual Network Manager security admin rules](../virtual-network-manager/concept-security-admins.md) allow or deny. VNet flow logs also support evaluating the encryption status of your network traffic in scenarios where you're using [virtual network encryption](../virtual-network/virtual-network-encryption-overview.md). diff --git a/articles/operator-nexus/TOC.yml b/articles/operator-nexus/TOC.yml index 3ca22efc0467d..6c2bfb977726b 100644 --- a/articles/operator-nexus/TOC.yml +++ b/articles/operator-nexus/TOC.yml @@ -105,6 +105,8 @@ href: howto-cluster-runtime-upgrade.md - name: Credential Rotation href: howto-credential-rotation.md + - name: Credential Manager Key Vault + href: how-to-credential-manager-key-vault.md - name: Service Principal Rotation href: howto-service-principal-rotation.md - name: Network Fabric diff --git a/articles/operator-nexus/how-to-credential-manager-key-vault.md b/articles/operator-nexus/how-to-credential-manager-key-vault.md new file mode 100644 index 0000000000000..b2f4706bba981 --- /dev/null +++ b/articles/operator-nexus/how-to-credential-manager-key-vault.md @@ -0,0 +1,68 @@ +--- +title: Set up customer provided Key Vault for Managed Credential rotation +description: Step by step guide on setting up a key vault for managing and rotating credentials used within Azure Operator Nexus Cluster resource. +author: ghugo +ms.author: gagehugo +ms.service: azure-operator-nexus +ms.topic: how-to +ms.date: 01/24/2024 +ms.custom: template-how-to +--- + +# Set up Key Vault for Managed Credential Rotation in Operator Nexus + +Azure Operator Nexus utilizes secrets and certificates to manage component security across the platform. The Operator Nexus platform handles the rotation of these secrets and certificates. By default, Operator Nexus stores the credentials in a managed Key Vault. To keep the rotated credentials in their own Key Vault, the user has to set up the Key Vault for the Azure Operator Nexus instance. Once created, the user needs to add a role assignment on the Customer Key Vault to allow the Operator Nexus Platform to write updated credentials, and additionally link the Customer Key Vault to the Nexus Cluster Resource. + +## Prerequisites + +- Install the latest version of the + [appropriate CLI extensions](./howto-install-cli-extensions.md) +- Get the *Subscription ID* for the customer's subscription + +> [!NOTE] +> A single Key Vault can be used for any number of clusters. + +## Writing Credential Updates to a Customer Key Vault on Nexus Cluster + +- Ensure that the *Microsoft.NetworkCloud* resource provider is registered with the customer subscription. + +```console +az provider register --namespace 'Microsoft.NetworkCloud' --subscription +``` + +- Assign the *Operator Nexus Key Vault Writer Service Role*. Ensure that *Azure role-based access control* is selected as the permission model for the key vault on the *Access configuration* view. Then from the *Access control (IAM)* view, select to add a role assignment. + +| Role Name | Role Definition ID | +|:-------------------------------------------------------|:-------------------------------------| +| Operator Nexus Key Vault Writer Service Role (Preview) | 44f0a1a8-6fea-4b35-980a-8ff50c487c97 | + +| Environment | App Name | App ID | +|:------------|:----------------------|:-------------------------------------| +| Production | AFOI-NC-RP-PME-PROD | 05cf5e27-931d-47ad-826d-cb9028d8bd7a | +| Production | AFOI-NC-MGMT-PME-PROD | 3365d4ea-bb16-4bc9-86dd-f2c8cf6f1f56 | + +Example: + +```console +az role assignment create --assignee 05cf5e27-931d-47ad-826d-cb9028d8bd7a --role 44f0a1a8-6fea-4b35-980a-8ff50c487c97 --scope /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/ + +az role assignment create --assignee 3365d4ea-bb16-4bc9-86dd-f2c8cf6f1f56 --role 44f0a1a8-6fea-4b35-980a-8ff50c487c97 --scope /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/ +``` + +- User associates the Customer Key Vault with the Operator Nexus cluster. The key vault resource ID must be configured in the cluster and enabled to store the secrets of the cluster. + +Example: + +```console +# Set and enable Customer Key Vault on Nexus cluster +az networkcloud cluster update --ids /subscriptions//resourceGroups//providers/Microsoft.NetworkCloud/clusters/ --secret-archive "{key-vault-id:,use-key-vault:true}" + +# Show Customer Key Vault setting (secretArchive) on the Nexus cluster +az networkcloud cluster show --ids /subscriptions//resourceGroups//providers/Microsoft.NetworkCloud/clusters/ --query secretArchive +``` + +For more help: + +```console +az networkcloud cluster update --secret-archive ?? --help +``` diff --git a/articles/operator-nexus/howto-configure-cluster.md b/articles/operator-nexus/howto-configure-cluster.md index 6cddad86c7238..497fc5ef275a6 100644 --- a/articles/operator-nexus/howto-configure-cluster.md +++ b/articles/operator-nexus/howto-configure-cluster.md @@ -55,6 +55,7 @@ az networkcloud cluster create --name "$CLUSTER_NAME" --location "$LOCATION" \ --network fabric-id "$NFC_ID" \ --cluster-service-principal application-id="$SP_APP_ID" \ password="$SP_PASS" principal-id="$SP_ID" tenant-id="$TENANT_ID" \ + --secret-archive "{key-vault-id:$KVRESOURCE_ID, use-key-vault:true}" \ --cluster-type "$CLUSTER_TYPE" --cluster-version "$CLUSTER_VERSION" \ --tags $TAG_KEY1="$TAG_VALUE1" $TAG_KEY2="$TAG_VALUE2" @@ -99,6 +100,7 @@ You can instead create a Cluster with ARM template/parameter files in | SP_PASS | Service Principal Password | | SP_ID | Service Principal ID | | TENANT_ID | Subscription tenant ID | +| KV_RESOURCE_ID | Key Vault ID | | CLUSTER_TYPE | Type of cluster, Single or MultiRack | | CLUSTER_VERSION | NC Version of cluster | | TAG_KEY1 | Optional tag1 to pass to Cluster Create | @@ -244,7 +246,7 @@ Some examples of deployment progress shown in detailedStatusMessage are `Hardwar :::image type="content" source="./media/nexus-deploy-kcp-status.png" lightbox="./media/nexus-deploy-kcp-status.png" alt-text="Screenshot of Azure portal showing cluster deploy progress kcp init."::: -:::image type="content" source="./media/nexus-deploy-extention-status.png" lightbox="./media/nexus-deploy-extention-status.png" alt-text="Screenshot of Azure portal showing cluster deploy progress extenstion application."::: +:::image type="content" source="./media/nexus-deploy-extension-status.png" lightbox="./media/nexus-deploy-extension-status.png" alt-text="Screenshot of Azure portal showing cluster deploy progress extension application."::: The Cluster deployment is complete when detailedStatus is set to `Running` and detailedStatusMessage shows message `Cluster is up and running`. diff --git a/articles/operator-nexus/media/nexus-deploy-extention-status.png b/articles/operator-nexus/media/nexus-deploy-extension-status.png similarity index 100% rename from articles/operator-nexus/media/nexus-deploy-extention-status.png rename to articles/operator-nexus/media/nexus-deploy-extension-status.png diff --git a/articles/role-based-access-control/permissions/management-and-governance.md b/articles/role-based-access-control/permissions/management-and-governance.md index b3d8ebcfe355f..45fe8dcd52b64 100644 --- a/articles/role-based-access-control/permissions/management-and-governance.md +++ b/articles/role-based-access-control/permissions/management-and-governance.md @@ -1009,7 +1009,6 @@ Azure service: [Azure Resource Manager](/azure/azure-resource-manager/) > | Microsoft.Resources/checkZonePeers/action | Check Zone Peers | > | Microsoft.Resources/changes/read | Gets or lists changes | > | Microsoft.Resources/checkPolicyCompliance/read | Check the compliance status of a given resource against resource policies. | -> | Microsoft.Resources/dataBoundaries/write | Tenant level opt-in to data boundary | > | Microsoft.Resources/deployments/read | Gets or lists deployments. | > | Microsoft.Resources/deployments/write | Creates or updates an deployment. | > | Microsoft.Resources/deployments/delete | Deletes a deployment. | diff --git a/articles/sap/workloads/get-started.md b/articles/sap/workloads/get-started.md index eaa167953dbe1..567d3acbd55fe 100644 --- a/articles/sap/workloads/get-started.md +++ b/articles/sap/workloads/get-started.md @@ -55,6 +55,7 @@ In the SAP workload documentation space, you can find the following areas: ## Change Log +- March 18, 2024: Added considerations for sizing the HANA shared file system in [SAP HANA Azure virtual machine storage configurations](./hana-vm-operations-storage.md) - February 07, 2024: Clarified disk allocation when using PPGs to bind availability set in specific Availability Zone in [Configuration options for optimal network latency with SAP applications](./proximity-placement-scenarios.md#combine-availability-sets-and-availability-zones-with-proximity-placement-groups) - February 01, 2024: Added guidance for [SAP front-end printing to Universal Print](./universal-print-sap-frontend.md). - January 24, 2024: Split [SAP RISE integration documentation](./rise-integration.md) into multiple segments for improved legibility, additional overview information added. diff --git a/articles/sap/workloads/hana-vm-operations-storage.md b/articles/sap/workloads/hana-vm-operations-storage.md index 90817cc2d6846..3e3985f958578 100644 --- a/articles/sap/workloads/hana-vm-operations-storage.md +++ b/articles/sap/workloads/hana-vm-operations-storage.md @@ -7,7 +7,7 @@ keywords: 'SAP, Azure HANA, Storage Ultra disk, Premium storage' ms.service: sap-on-azure ms.subservice: sap-vm-workloads ms.topic: article -ms.date: 08/03/2023 +ms.date: 03/18/2024 ms.author: juergent ms.custom: H1Hack27Feb2017 --- @@ -50,7 +50,7 @@ Given that low storage latency is critical for DBMS systems, even as DBMS, like Some guiding principles in selecting your storage configuration for HANA can be listed like: - Decide on the type of storage based on [Azure Storage types for SAP workload](./planning-guide-storage.md) and [Select a disk type](../../virtual-machines/disks-types.md) -- The overall VM I/O throughput and IOPS limits in mind when sizing or deciding for a VM. Overall VM storage throughput is documented in the article [Memory optimized virtual machine sizes](../../virtual-machines/sizes-memory.md). +- The overall VM I/O throughput and IOPS limits in mind when sizing or deciding for a VM. Overall VM storage throughput is documented in the article [Memory optimized virtual machine sizes](../../virtual-machines/sizes-memory.md) - When deciding for the storage configuration, try to stay below the overall throughput of the VM with your **/hana/data** volume configuration. SAP HANA writing savepoints, HANA can be aggressive issuing I/Os. It's easily possible to push up to throughput limits of your **/hana/data** volume when writing a savepoint. If your disk(s) that build the **/hana/data** volume have a higher throughput than your VM allows, you could run into situations where throughput utilized by the savepoint writing is interfering with throughput demands of the redo log writes. A situation that can impact the application throughput - If you're considering using HANA System Replication, the storage used for **/hana/data** on each replica must be same and the storage type used for **/hana/log** on each replica must be same. For example, using Azure premium storage v1 for **/hana/data** with one VM and Azure Ultra disk for **/hana/data** in another VM running a replica of the same HANA System replication configuration, isn't supported @@ -97,18 +97,39 @@ Accumulating multiple Azure disks underneath a stripe set, is accumulative from > [!IMPORTANT] > In case you're using LVM or mdadm as volume manager to create stripe sets across multiple Azure premium disks, the three SAP HANA FileSystems /data, /log and /shared must not be put in a default or root volume group. It's highly recommended to follow the Linux Vendors guidance which is typically to create individual Volume Groups for /data, /log and /shared. +## Considerations for the HANA shared file system + +When sizing the HANA file systems, most attention is given to the data and log file HANA systems. However, **/hana/shared** also plays an important role in operating a stable HANA system, as it hosts essential components like the HANA binaries. +If undersized, **/hana/shared** could become I/O saturated due to excessive read/write operations - for instance while writing a large dump, or during intensive tracing, or if backup is written to the **/hana/shared** file system. Latency could also increase. + +If the HANA system is in an HA configuration, slow responses from the shared file system, i.e. **/hana/shared** could cause cluster resources timeouts. These timeouts may lead to unnecessary failovers, because the HANA resource agents might incorrectly assume that the database is not available. + +The SAP guidelines for **/hana/shared** recommended sizes would look like: + +| Volume | Recommended Size | +| --- | --- | +| /hana/shared scale-up | Min(1 TB, 1 x RAM) | +| /hana/shared scale-out | 1 x RAM of worker node
per four worker nodes | + +Consult the following SAP notes for more details: +[3288971 - FAQ: SUSE HAE/RedHat HAA Pacemaker Cluster Resource Manager in SAP HANA System Replication Environments](https://me.sap.com/notes/3288971) +[1999930 - FAQ: SAP HANA I/O Analysis](https://me.sap.com/notes/1999930) + +As a best practice, size **/hana/shared** to avoid performance bottlenecks. +Remember that a well-sized **/hana/shared** file system contributes to the stability and reliability of your SAP HANA system, especially in HA scenarios. + ## Azure Premium Storage v1 configurations for HANA -For detailed HANA storage configuration recommendations using Azure premium storage v1, read the document [SAP HANA Azure virtual machine Premium SSD storage configurations](./hana-vm-premium-ssd-v1.md) +For detailed HANA storage configuration recommendations using Azure premium storage v1, read the document [SAP HANA Azure virtual machine Premium SSD storage configurations](./hana-vm-premium-ssd-v1.md). ## Azure Premium SSD v2 configurations for HANA -For detailed HANA storage configuration recommendations using Azure premium ssd v2 storage, read the document [SAP HANA Azure virtual machine Premium SSD v2 storage configurations](./hana-vm-premium-ssd-v2.md) +For detailed HANA storage configuration recommendations using Azure premium ssd v2 storage, read the document [SAP HANA Azure virtual machine Premium SSD v2 storage configurations](./hana-vm-premium-ssd-v2.md). ## Azure Ultra disk storage configuration for SAP HANA -For detailed HANA storage configuration recommendations using Azure Ultra Disk, read the document [SAP HANA Azure virtual machine Ultra Disk storage configurations](./hana-vm-ultra-disk.md) +For detailed HANA storage configuration recommendations using Azure Ultra Disk, read the document [SAP HANA Azure virtual machine Ultra Disk storage configurations](./hana-vm-ultra-disk.md). ## NFS v4.1 volumes on Azure NetApp Files -For detail on ANF for HANA, read the document [NFS v4.1 volumes on Azure NetApp Files for SAP HANA](./hana-vm-operations-netapp.md) +For detail on ANF for HANA, read the document [NFS v4.1 volumes on Azure NetApp Files for SAP HANA](./hana-vm-operations-netapp.md). ## Next steps For more information, see: diff --git a/articles/search/TOC.yml b/articles/search/TOC.yml index 89a8361899c4f..fcf4ec071ff8d 100644 --- a/articles/search/TOC.yml +++ b/articles/search/TOC.yml @@ -20,7 +20,7 @@ - name: Semantic reranking href: search-get-started-semantic.md - name: Chat with your data (Azure OpenAI Studio) - href: search-get-started-retrieval-augmented-generation.md + href: /azure/ai-services/openai/use-your-data-quickstart?context=/azure/search/context/context - name: Portal items: - name: Create an index diff --git a/articles/search/cognitive-search-create-custom-skill-example.md b/articles/search/cognitive-search-create-custom-skill-example.md index 55bb2d5985e07..16827e201264e 100644 --- a/articles/search/cognitive-search-create-custom-skill-example.md +++ b/articles/search/cognitive-search-create-custom-skill-example.md @@ -6,7 +6,7 @@ author: gmndrg ms.author: gimondra ms.service: cognitive-search ms.topic: conceptual -ms.date: 12/01/2022 +ms.date: 03/18/2024 ms.custom: - devx-track-csharp - ignite-2023 @@ -20,31 +20,33 @@ In this example, learn how to create a web API custom skill. This skill will acc + Read about [custom skill interface](cognitive-search-custom-skill-interface.md) article if you aren't familiar with the input/output interface that a custom skill should implement. -+ Create a [Bing Search v7 resource](https://portal.azure.com/#create/Microsoft.BingSearch) through the Azure Portal. A free tier is available and sufficient for this example. ++ Create a [Bing Search resource](https://portal.azure.com/#create/Microsoft.BingSearch) through the Azure portal. A free tier is available and sufficient for this example. -+ Install [Visual Studio 2019](https://www.visualstudio.com/vs/) or later, including the Azure development workload. ++ Install [Visual Studio](https://www.visualstudio.com/vs/) or later. ## Create an Azure Function Although this example uses an Azure Function to host a web API, it isn't required. As long as you meet the [interface requirements for a cognitive skill](cognitive-search-custom-skill-interface.md), the approach you take is immaterial. Azure Functions, however, make it easy to create a custom skill. -### Create a function app +### Create a project 1. In Visual Studio, select **New** > **Project** from the File menu. -1. In the New Project dialog, select **Azure Functions** as the template and select **Next**. Type a name for your project, and select **Create**. The function app name must be valid as a C# namespace, so don't use underscores, hyphens, or any other non-alphanumeric characters. +1. Choose **Azure Functions** as the template and select **Next**. Type a name for your project, and select **Create**. The function app name must be valid as a C# namespace, so don't use underscores, hyphens, or any other non-alphanumeric characters. -1. Select the type to be **HTTP Trigger** +1. Select a framework that has long term support. -1. For Storage Account, you may select **None**, as you won't need any storage for this function. +1. Choose **HTTP Trigger** for the type of function to add to the project. + +1. Choose **Function** for the authorization level. 1. Select **Create** to create the function project and HTTP triggered function. -### Modify the code to call the Bing Entity Search Service +### Add code to call the Bing Entity API -Visual Studio creates a project and in it a class that contains boilerplate code for the chosen function type. The *FunctionName* attribute on the method sets the name of the function. The *HttpTrigger* attribute specifies that the function is triggered by an HTTP request. +Visual Studio creates a project with boilerplate code for the chosen function type. The *FunctionName* attribute on the method sets the name of the function. The *HttpTrigger* attribute specifies that the function is triggered by an HTTP request. -Now, replace all of the content of the file *Function1.cs* with the following code: +Replace the contents of *Function1.cs* with the following code: ```csharp using System; @@ -308,10 +310,6 @@ namespace SampleSkills Make sure to enter your own *key* value in the `key` constant based on the key you got when signing up for the Bing entity search API. -This sample includes all necessary code in a single file for convenience. You can find a slightly more structured version of that same skill in [the power skills repository](https://github.com/Azure-Samples/azure-search-power-skills/tree/main/Text/BingEntitySearch). - -Of course, you may rename the file from `Function1.cs` to `BingEntitySearch.cs`. - ## Test the function from Visual Studio Press **F5** to run the program and test function behaviors. In this case, we'll use the function below to look up two entities. Use a REST client to issue a call like the one shown below: diff --git a/articles/search/cognitive-search-custom-skill-scale.md b/articles/search/cognitive-search-custom-skill-scale.md index c3efee26ee5e1..4098bb44c19c7 100644 --- a/articles/search/cognitive-search-custom-skill-scale.md +++ b/articles/search/cognitive-search-custom-skill-scale.md @@ -9,51 +9,48 @@ ms.service: cognitive-search ms.custom: - ignite-2023 ms.topic: conceptual -ms.date: 12/01/2022 +ms.date: 03/18/2024 --- # Efficiently scale out a custom skill Custom skills are web APIs that implement a specific interface. A custom skill can be implemented on any publicly addressable resource. The most common implementations for custom skills are: -* Azure Functions for custom logic skills -* Azure Webapps for simple containerized AI skills -* Azure Kubernetes service for more complex or larger skills. + ++ Azure Functions for custom logic skills ++ Azure Web apps for simple containerized AI skills ++ Azure Kubernetes service for more complex or larger skills. ## Prerequisites -+ Review the [custom skill interface](cognitive-search-custom-skill-interface.md) for an introduction into the input/output interface that a custom skill should implement. ++ Review the [custom skill interface](cognitive-search-custom-skill-interface.md) for an introduction into the inputs and outputs that a custom skill should implement. -+ Set up your environment. You could start with [this tutorial end-to-end](../azure-functions/create-first-function-vs-code-python.md) to set up serverless Azure Function using Visual Studio Code and Python extensions. ++ Set up your environment. You can start with [this tutorial end-to-end](../azure-functions/create-first-function-vs-code-python.md) to set up serverless Azure Function using Visual Studio Code with the Python extension. ## Skillset configuration -Configuring a custom skill for maximizing throughput of the indexing process requires an understanding of the skill, indexer configurations and how the skill relates to each document. For example, the number of times a skill is invoked per document and the expected duration per invocation. - -### Skill settings - -On the [custom skill](cognitive-search-custom-skill-web-api.md) set the following parameters. +The following properties on a [custom skill](cognitive-search-custom-skill-web-api.md) are used for scale. 1. Set `batchSize` of the custom skill to configure the number of records sent to the skill in a single invocation of the skill. -2. Set the `degreeOfParallelism` to calibrate the number of concurrent requests the indexer will make to your skill. +1. Set the `degreeOfParallelism` to calibrate the number of concurrent requests the indexer makes to your skill. -3. Set `timeout`to a value sufficient for the skill to respond with a valid response. +1. Set `timeout`to a value sufficient for the skill to respond with a valid response. -4. In the `indexer` definition, set [`batchSize`](/rest/api/searchservice/create-indexer#indexer-parameters) to the number of documents that should be read from the data source and enriched concurrently. +1. In the `indexer` definition, set [`batchSize`](/rest/api/searchservice/create-indexer#indexer-parameters) to the number of documents that should be read from the data source and enriched concurrently. ### Considerations -Setting these variables to optimize the indexers performance requires determining if your skill performs better with many concurrent small requests or fewer large requests. A few questions to consider are: + There's no "one size fits all" set of recommendations. You should plan on testing different configurations to reach an optimum result. Strategies are either fewer large requests or many small requests. -* What is the skill invocation cardinality? Does the skill execute once for each document, for instance a document classification skill, or could the skill execute multiple times per document, a paragraph classification skill? ++ Skill invocation cardinality: Does the skill execute once for each document (`/document/content`) or multiple times per document (`/document/reviews_text/pages/*`). -* On average how many documents are read from the data source to fill out a skill request based on the skill batch size? Ideally, this should be less than the indexer batch size. With batch sizes greater than 1 your skill can receive records from multiple source documents. For example if the indexer batch count is 5 and the skill batch count is 50 and each document generates only five records, the indexer will need to fill a custom skill request across multiple indexer batches. ++ On average, how many documents are read from the data source to fill out a skill request based on the skill batch size? Ideally, this should be less than the indexer batch size. With batch sizes greater than one, your skill can receive records from multiple source documents. For example, if the indexer batch count is 5, and the skill batch count is 50 and each document generates only five records, the indexer will need to fill a custom skill request across multiple indexer batches. -* The average number of requests an indexer batch can generate should give you an optimal setting for the degrees of parallelism. If your infrastructure hosting the skill cannot support that level of concurrency, consider dialing down the degrees of parallelism. As a best practice, test your configuration with a few documents to validate your choices on the parameters. ++ The average number of requests an indexer batch can generate should give you an optimal setting for the degrees of parallelism. If your infrastructure hosting the skill can't support that level of concurrency, consider dialing down the degrees of parallelism. As a best practice, test your configuration with a few documents to validate your choices on the parameters. -* Testing with a smaller sample of documents, evaluate the execution time of your skill to the overall time taken to process the subset of documents. Does your indexer spend more time building a batch or waiting for a response from your skill? ++ Testing with a smaller sample of documents, evaluate the execution time of your skill to the overall time taken to process the subset of documents. Does your indexer spend more time building a batch or waiting for a response from your skill? -* Consider the upstream implications of parallelism. If the input to a custom skill is an output from a prior skill, are all the skills in the skillset scaled out effectively to minimize latency? ++ Consider the upstream implications of parallelism. If the input to a custom skill is an output from a prior skill, are all the skills in the skillset scaled out effectively to minimize latency? ## Error handling in the custom skill @@ -83,7 +80,7 @@ Start by testing your custom skill with a REST API client to validate: * Returns a valid HTTP status code -Create a [debug session](cognitive-search-debug-session.md) to add your skill to the skillset and make sure it produces a valid enrichment. While a debug session does not allow you to tune the performance of the skill, it enables you to ensure that the skill is configured with valid values and returns the expected enriched objects. +Create a [debug session](cognitive-search-debug-session.md) to add your skill to the skillset and make sure it produces a valid enrichment. While a debug session doesn't allow you to tune the performance of the skill, it enables you to ensure that the skill is configured with valid values and returns the expected enriched objects. ## Best practices @@ -91,17 +88,8 @@ Create a [debug session](cognitive-search-debug-session.md) to add your skill to * Consider setting the batch size on the indexer and skill to ensure that each data source batch generates a full payload for your skill. -* For long running tasks, set the timeout to a high enough value to ensure the indexer does not error out when processing documents concurrently. +* For long running tasks, set the timeout to a high enough value to ensure the indexer doesn't error out when processing documents concurrently. * Optimize the indexer batch size, skill batch size, and skill degrees of parallelism to generate the load pattern your skill expects, fewer large requests or many small requests. -* Monitor custom skills with detailed logs of failures as you can have scenarios where specific requests consistently fail as a result of the data variability. - - -## Next steps -Congratulations! Your custom skill is now scaled right to maximize throughput on the indexer. - -+ [Power Skills: a repository of custom skills](https://github.com/Azure-Samples/azure-search-power-skills) -+ [Add a custom skill to an AI enrichment pipeline](cognitive-search-custom-skill-interface.md) -+ [Add an Azure Machine Learning skill](./cognitive-search-aml-skill.md) -+ [Use debug sessions to test changes](./cognitive-search-debug-session.md) +* Monitor custom skills with detailed logs of failures as you can have scenarios where specific requests consistently fail as a result of the data variability. \ No newline at end of file diff --git a/articles/search/index-sql-relational-data.md b/articles/search/index-sql-relational-data.md index 3c127b2c8081e..aacc5d09d543e 100644 --- a/articles/search/index-sql-relational-data.md +++ b/articles/search/index-sql-relational-data.md @@ -1,7 +1,7 @@ --- title: Model SQL relational data for import and indexing titleSuffix: Azure AI Search -description: Learn how to model relational data, de-normalized into a flat result set, for indexing and full text search in Azure AI Search. +description: Learn how to model relational data, denormalized into a flat result set, for indexing and full text search in Azure AI Search. author: HeidiSteen manager: nitinme ms.author: heidist @@ -9,13 +9,14 @@ ms.service: cognitive-search ms.custom: - ignite-2023 ms.topic: how-to -ms.date: 02/22/2023 +ms.date: 03/18/2024 --- + # How to model relational SQL data for import and indexing in Azure AI Search Azure AI Search accepts a flat rowset as input to the [indexing pipeline](search-what-is-an-index.md). If your source data originates from joined tables in a SQL Server relational database, this article explains how to construct the result set, and how to model a parent-child relationship in an Azure AI Search index. -As an illustration, we refer to a hypothetical hotels database, based on [demo data](https://github.com/Azure-Samples/azure-search-sample-data/tree/main/hotels). Assume the database consists of a Hotels$ table with 50 hotels, and a Rooms$ table with rooms of varying types, rates, and amenities, for a total of 750 rooms. There's a one-to-many relationship between the tables. In our approach, a view provides the query that returns 50 rows, one row per hotel, with associated room detail embedded into each row. +As an illustration, we refer to a hypothetical hotels database, based on [demo data](https://github.com/Azure-Samples/azure-search-sample-data/tree/main/hotels). Assume the database consists of a `Hotels$` table with 50 hotels, and a `Rooms$` table with rooms of varying types, rates, and amenities, for a total of 750 rooms. There's a one-to-many relationship between the tables. In our approach, a view provides the query that returns 50 rows, one row per hotel, with associated room detail embedded into each row. ![Tables and view in the Hotels database](media/index-sql-relational-data/hotels-database-tables-view.png "Tables and view in the Hotels database") @@ -43,7 +44,7 @@ To deliver the expected search experience, your data set should consist of one r The solution is to capture the room detail as nested JSON, and then insert the JSON structure into a field in a view, as shown in the second step. -1. Assume you've two joined tables, Hotels$ and Rooms$, that contain details for 50 hotels and 750 rooms and are joined on the HotelID field. Individually, these tables contain 50 hotels and 750 related rooms. +1. Assume you have two joined tables, `Hotels$` and `Rooms$`, that contain details for 50 hotels and 750 rooms and are joined on the HotelID field. Individually, these tables contain 50 hotels and 750 related rooms. ```sql CREATE TABLE [dbo].[Hotels$]( @@ -106,7 +107,7 @@ This rowset is now ready for import into Azure AI Search. ## Use a complex collection for the "many" side of a one-to-many relationship -On the Azure AI Search side, create an index schema that models the one-to-many relationship using nested JSON. The result set you created in the previous section generally corresponds to the index schema provided below (we cut some fields for brevity). +On the Azure AI Search side, create an index schema that models the one-to-many relationship using nested JSON. The result set you created in the previous section generally corresponds to the index schema provided next (we cut some fields for brevity). The following example is similar to the example in [How to model complex data types](search-howto-complex-data-types.md#create-complex-fields). The *Rooms* structure, which has been the focus of this article, is in the fields collection of an index named *hotels*. This example also shows a complex type for *Address*, which differs from *Rooms* in that it's composed of a fixed set of items, as opposed to the multiple, arbitrary number of items allowed in a collection. @@ -144,11 +145,11 @@ The following example is similar to the example in [How to model complex data ty } ``` -Given the previous result set and the above index schema, you've all the required components for a successful indexing operation. The flattened data set meets indexing requirements yet preserves detail information. In the Azure AI Search index, search results will fall easily into hotel-based entities, while preserving the context of individual rooms and their attributes. +Given the previous result set and the above index schema, you have all the required components for a successful indexing operation. The flattened data set meets indexing requirements yet preserves detail information. In the Azure AI Search index, search results fall easily into hotel-based entities, while preserving the context of individual rooms and their attributes. ## Facet behavior on complex type subfields -Fields that have a parent, such as the fields under Address and Rooms, are called *subfields*. Although you can assign a "facetable" attribute to a subfield, the count of the facet will always be for the main document. +Fields that have a parent, such as the fields under Address and Rooms, are called *subfields*. Although you can assign a "facetable" attribute to a subfield, the count of the facet is always for the main document. For complex types like Address, where there's just one "Address/City" or "Address/stateProvince" in the document, the facet behavior works as expected. However, in the case of Rooms, where there are multiple subdocuments for each main document, the facet counts can be misleading. diff --git a/articles/search/knowledge-store-connect-power-bi.md b/articles/search/knowledge-store-connect-power-bi.md index ae0a6cfc13340..d1630dbbb3823 100644 --- a/articles/search/knowledge-store-connect-power-bi.md +++ b/articles/search/knowledge-store-connect-power-bi.md @@ -9,7 +9,7 @@ ms.service: cognitive-search ms.custom: - ignite-2023 ms.topic: conceptual -ms.date: 01/30/2023 +ms.date: 03/18/2024 --- # Connect a knowledge store with Power BI @@ -24,11 +24,11 @@ Follow the steps in this article using sample data and a knowledge store as [cre 1. Start [Power BI Desktop](https://powerbi.microsoft.com/downloads/) and select **Get data**. -1. In the **Get Data** window, select **Azure**, and then select **Azure Table Storage**. +1. In **Get Data**, select **Azure**, and then select **Azure Table Storage**. 1. Select **Connect**. -1. For **Account Name or URL**, enter in your Azure Storage account name (the full URL will be created for you). +1. For **Account Name or URL**, enter in your Azure Storage account name (the full URL is created for you). 1. If prompted, enter the storage account key. @@ -46,7 +46,7 @@ Follow the steps in this article using sample data and a knowledge store as [cre ![Edit tables](media/knowledge-store-connect-power-bi/powerbi-edit-table.png "Edit tables") -1. Click the icon with opposing arrows at the upper right side of the table to expand *Content*. When the list of columns appears, select all columns. Clear columns starting with 'metadata'. Click **OK** to include the selected columns. +1. Select the icon with opposing arrows at the upper right side of the table to expand *Content*. When the list of columns appears, select all columns. Clear columns starting with 'metadata'. Select **OK** to include the selected columns. ![Expand content](media/knowledge-store-connect-power-bi/powerbi-expand-content-table.png "Expand content") @@ -61,11 +61,11 @@ Follow the steps in this article using sample data and a knowledge store as [cre 1. Open *hotelReviewsSsKeyPhrases* and repeat column deletion steps, expanding *Content* to select columns from the records. There are no data type modifications for this table. -1. On the command bar, click **Close and Apply**. +1. On the command bar, select **Close and Apply**. ## Check table relationships -1. Click on the Model tile on the left navigation pane and validate that Power BI shows relationships between all three tables. +1. Select on the Model tile on the left navigation pane and validate that Power BI shows relationships between all three tables. ![Validate relationships](media/knowledge-store-connect-power-bi/powerbi-relationships.png "Validate relationships") @@ -73,7 +73,7 @@ Follow the steps in this article using sample data and a knowledge store as [cre ## Build a report -1. Click on the Report tile on the left navigation pane to explore data through visualizations. For text fields, tables and cards are useful visualizations. +1. Select on the Report tile on the left navigation pane to explore data through visualizations. For text fields, tables and cards are useful visualizations. 1. Choose fields from each of the three tables to fill in the table or card. @@ -83,7 +83,7 @@ Follow the steps in this article using sample data and a knowledge store as [cre When creating a [knowledge store using the Azure portal](knowledge-store-create-portal.md), you have the option of downloading a [Power BI template](https://github.com/Azure-Samples/cognitive-search-templates) on the second page of the **Import data** wizard. This template gives you several visualizations, such as WordCloud and Network Navigator, for text-based content. -Click **Get Power BI Template** on the **Add cognitive skills** page to retrieve and download the template from its public GitHub location. The wizard modifies the template to accommodate the shape of your data, as captured in the knowledge store projections specified in the wizard. For this reason, the template you download will vary each time you run the wizard, assuming different data inputs and skill selections. +Select **Get Power BI Template** on the **Add cognitive skills** page to retrieve and download the template from its public GitHub location. The wizard modifies the template to accommodate the shape of your data, as captured in the knowledge store projections specified in the wizard. For this reason, the template you download varies each time you run the wizard, assuming different data inputs and skill selections. ![Sample Azure AI Search Power BI Template](media/knowledge-store-connect-power-bi/powerbi-sample-template-portal-only.png "Sample Power BI template") diff --git a/articles/search/knowledge-store-create-portal.md b/articles/search/knowledge-store-create-portal.md index 6cda75ac983ff..f437abae66690 100644 --- a/articles/search/knowledge-store-create-portal.md +++ b/articles/search/knowledge-store-create-portal.md @@ -7,7 +7,7 @@ ms.author: heidist manager: nitinme ms.service: cognitive-search ms.topic: quickstart -ms.date: 06/29/2023 +ms.date: 03/18/2024 ms.custom: - mode-ui - ignite-2023 diff --git a/articles/search/knowledge-store-projection-shape.md b/articles/search/knowledge-store-projection-shape.md index b38a248e5d31d..f2d717f8c8dab 100644 --- a/articles/search/knowledge-store-projection-shape.md +++ b/articles/search/knowledge-store-projection-shape.md @@ -8,7 +8,7 @@ ms.service: cognitive-search ms.custom: - ignite-2023 ms.topic: conceptual -ms.date: 01/31/2023 +ms.date: 03/18/2024 --- # Shaping data for projection into a knowledge store diff --git a/articles/search/knowledge-store-projections-examples.md b/articles/search/knowledge-store-projections-examples.md index 5bedfafd456d6..68d557dc9b113 100644 --- a/articles/search/knowledge-store-projections-examples.md +++ b/articles/search/knowledge-store-projections-examples.md @@ -10,7 +10,7 @@ ms.service: cognitive-search ms.custom: - ignite-2023 ms.topic: conceptual -ms.date: 01/31/2023 +ms.date: 03/18/2024 --- # Define projections in a knowledge store @@ -35,6 +35,7 @@ Recall that projections are defined under the "knowledgeStore" property of a ski "files": [ ] } ] +} ``` If you need more background before getting started, review [this check list](knowledge-store-projection-overview.md#checklist-for-getting-started) for tips and workflow. diff --git a/articles/search/search-get-started-powershell.md b/articles/search/search-get-started-powershell.md index e7d11cafaceb5..14c80db1cd93f 100644 --- a/articles/search/search-get-started-powershell.md +++ b/articles/search/search-get-started-powershell.md @@ -8,7 +8,7 @@ ms.author: heidist ms.service: cognitive-search ms.topic: quickstart ms.devlang: rest-api -ms.date: 01/27/2023 +ms.date: 03/18/2024 ms.custom: - mode-api - ignite-2023 @@ -23,13 +23,13 @@ If you don't have an Azure subscription, create a [free account](https://azure.m The following services and tools are required for this quickstart. -+ [PowerShell 5.1 or later](https://github.com/PowerShell/PowerShell), using [Invoke-RestMethod](/powershell/module/Microsoft.PowerShell.Utility/Invoke-RestMethod) for sequential and interactive steps. ++ [PowerShell 7.3 or later](https://github.com/PowerShell/PowerShell), using [Invoke-RestMethod](/powershell/module/Microsoft.PowerShell.Utility/Invoke-RestMethod) for sequential and interactive steps. + [Create an Azure AI Search service](search-create-service-portal.md) or [find an existing service](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Search%2FsearchServices) under your current subscription. You can use a free service for this quickstart. -## Copy a key and URL +## Copy a search service key and URL -REST calls require the service URL and an access key on every request. A search service is created with both, so if you added Azure AI Search to your subscription, follow these steps to get the necessary information: +In this quickstart, REST calls include the service URL and an access key on every request. A search service is created with both, so if you added Azure AI Search to your subscription, follow these steps to get the necessary information: 1. Sign in to the [Azure portal](https://portal.azure.com), and in your search service **Overview** page, get the URL. An example endpoint might look like `https://mydemo.search.windows.net`. @@ -41,7 +41,7 @@ All requests require an api-key on every request sent to your service. Having a ## Connect to Azure AI Search -1. In PowerShell, create a **$headers** object to store the content-type and API key. Replace the admin API key (YOUR-ADMIN-API-KEY) with a key that is valid for your search service. You only have to set this header once for the duration of the session, but you will add it to every request. +1. In PowerShell, create a **$headers** object to store the content-type and API key. Replace the admin API key (YOUR-ADMIN-API-KEY) with a key that is valid for your search service. You only have to set this header once for the duration of the session, but you'll add it to every request. ```powershell $headers = @{ @@ -53,7 +53,7 @@ All requests require an api-key on every request sent to your service. Having a 2. Create a **$url** object that specifies the service's indexes collection. Replace the service name (YOUR-SEARCH-SERVICE-NAME) with a valid search service. ```powershell - $url = "https://.search.windows.net/indexes?api-version=2020-06-30&`$select=name" + $url = "https://.search.windows.net/indexes?api-version=2023-11-01&`$select=name" ``` 3. Run **Invoke-RestMethod** to send a GET request to the service and verify the connection. Add **ConvertTo-Json** so that you can view the responses sent back from the service. @@ -62,7 +62,7 @@ All requests require an api-key on every request sent to your service. Having a Invoke-RestMethod -Uri $url -Headers $headers | ConvertTo-Json ``` - If the service is empty and has no indexes, results are similar to the following example. Otherwise, you'll see a JSON representation of index definitions. + If the service is empty and has no indexes, results are similar to the following example. Otherwise, you see a JSON representation of index definitions. ``` { @@ -75,9 +75,9 @@ All requests require an api-key on every request sent to your service. Having a ## 1 - Create an index -Unless you are using the portal, an index must exist on the service before you can load data. This step defines the index and pushes it to the service. The [Create Index REST API](/rest/api/searchservice/create-index) is used for this step. +Unless you're using the portal, an index must exist on the service before you can load data. This step defines the index and pushes it to the service. The [Create Index REST API](/rest/api/searchservice/create-index) is used for this step. -Required elements of an index include a name and a fields collection. The fields collection defines the structure of a *document*. Each field has a name, type, and attributes that determine how it's used (for example, whether it is full-text searchable, filterable, or retrievable in search results). Within an index, one of the fields of type `Edm.String` must be designated as the *key* for document identity. +Required elements of an index include a name and a fields collection. The fields collection defines the structure of a *document*. Each field has a name, type, and attributes that determine how it's used (for example, whether it's full-text searchable, filterable, or retrievable in search results). Within an index, one of the fields of type `Edm.String` must be designated as the *key* for document identity. This index is named "hotels-quickstart" and has the field definitions you see below. It's a subset of a larger [Hotels index](https://github.com/Azure-Samples/azure-search-sample-data/blob/main/hotels/Hotels_IndexDefinition.JSON) used in other walk-through articles. The field definitions have been trimmed in this quickstart for brevity. @@ -113,7 +113,7 @@ This index is named "hotels-quickstart" and has the field definitions you see be 2. Set the URI to the indexes collection on your service and the *hotels-quickstart* index. ```powershell - $url = "https://.search.windows.net/indexes/hotels-quickstart?api-version=2020-06-30" + $url = "https://.search.windows.net/indexes/hotels-quickstart?api-version=2023-11-01" ``` 3. Run the command with **$url**, **$headers**, and **$body** to create the index on the service. @@ -159,7 +159,9 @@ This index is named "hotels-quickstart" and has the field definitions you see be "analyzer": null, "synonymMaps": "" }, - . . . + . . . + ] + } ``` > [!Tip] @@ -263,7 +265,7 @@ To push documents, use an HTTP POST request to your index's URL endpoint. The RE 1. Set the endpoint to the *hotels-quickstart* docs collection and include the index operation (indexes/hotels-quickstart/docs/index). ```powershell - $url = "https://.search.windows.net/indexes/hotels-quickstart/docs/index?api-version=2020-06-30" + $url = "https://.search.windows.net/indexes/hotels-quickstart/docs/index?api-version=2023-11-01" ``` 1. Run the command with **$url**, **$headers**, and **$body** to load documents into the hotels-quickstart index. @@ -316,7 +318,7 @@ Be sure to use single quotes on search $urls. Query strings include **$** charac This string executes an empty search (search=*), returning an unranked list (search score = 1.0) of arbitrary documents. By default, Azure AI Search returns 50 matches at a time. As structured, this query returns an entire document structure and values. Add **$count=true** to get a count of all documents in the results. ```powershell - $url = 'https://.search.windows.net/indexes/hotels-quickstart/docs?api-version=2020-06-30&search=*&$count=true' + $url = 'https://.search.windows.net/indexes/hotels-quickstart/docs?api-version=2023-11-01&search=*&$count=true' ``` 1. Run the command to send the **$url** to the service. @@ -356,7 +358,9 @@ Be sure to use single quotes on search $urls. Query strings include **$** charac "Rating": 4.8, "Address": "@{StreetAddress=3393 Peachtree Rd; City=Atlanta; StateProvince=GA; PostalCode=30326; Country=USA}" }, - . . . + . . . + ] + } ``` Try a few other query examples to get a feel for the syntax. You can do a string search, verbatim $filter queries, limit the results set, scope the search to specific fields, and more. @@ -365,29 +369,30 @@ Try a few other query examples to get a feel for the syntax. You can do a string # Query example 1 # Search the entire index for the terms 'restaurant' and 'wifi' # Return only the HotelName, Description, and Tags fields -$url = 'https://.search.windows.net/indexes/hotels-quickstart/docs?api-version=2020-06-30&search=restaurant wifi&$count=true&$select=HotelName,Description,Tags' +$url = 'https://.search.windows.net/indexes/hotels-quickstart/docs?api-version=2023-11-01&search=restaurant wifi&$count=true&$select=HotelName,Description,Tags' # Query example 2 # Apply a filter to the index to find hotels rated 4 or higher # Returns the HotelName and Rating. Two documents match. -$url = 'https://.search.windows.net/indexes/hotels-quickstart/docs?api-version=2020-06-30&search=*&$filter=Rating gt 4&$select=HotelName,Rating' +$url = 'https://.search.windows.net/indexes/hotels-quickstart/docs?api-version=2023-11-01&search=*&$filter=Rating gt 4&$select=HotelName,Rating' # Query example 3 # Take the top two results, and show only HotelName and Category in the results -$url = 'https://.search.windows.net/indexes/hotels-quickstart/docs?api-version=2020-06-30&search=boutique&$top=2&$select=HotelName,Category' +$url = 'https://.search.windows.net/indexes/hotels-quickstart/docs?api-version=2023-11-01&search=boutique&$top=2&$select=HotelName,Category' # Query example 4 # Sort by a specific field (Address/City) in ascending order -$url = 'https://.search.windows.net/indexes/hotels-quickstart/docs?api-version=2020-06-30&search=pool&$orderby=Address/City asc&$select=HotelName, Address/City, Tags, Rating' +$url = 'https://.search.windows.net/indexes/hotels-quickstart/docs?api-version=2023-11-01&search=pool&$orderby=Address/City asc&$select=HotelName, Address/City, Tags, Rating' ``` + ## Clean up resources When you're working in your own subscription, it's a good idea at the end of a project to identify whether you still need the resources you created. Resources left running can cost you money. You can delete resources individually or delete the resource group to delete the entire set of resources. You can find and manage resources in the portal, using the **All resources** or **Resource groups** link in the left-navigation pane. -If you are using a free service, remember that you are limited to three indexes, indexers, and data sources. You can delete individual items in the portal to stay under the limit. +If you're using a free service, remember that you're limited to three indexes, indexers, and data sources. You can delete individual items in the portal to stay under the limit. ## Next steps diff --git a/articles/search/search-get-started-rest.md b/articles/search/search-get-started-rest.md index 8257a0d07df68..4623e526c53f1 100644 --- a/articles/search/search-get-started-rest.md +++ b/articles/search/search-get-started-rest.md @@ -51,7 +51,7 @@ If you're not familiar with the REST client for Visual Studio Code, this section 1. Search for the REST client and select **Install**. - :::image type="content" source="media/search-get-started-rest/rest-client-install.png" alt-text="Screenshot of the install command."::: + :::image type="content" source="media/search-get-started-rest/rest-client-install.png" alt-text="Screenshot of the REST client install command."::: 1. Open or create new file named with either a `.rest` or `.http` file extension. @@ -257,7 +257,7 @@ Now that documents are loaded, you can issue queries against them using [Documen The URI is extended to include a query expression, specified using the `/docs/search` operator. 1. Paste in the following example to query the search index, and then select **Send request**. A text search request always includes a `search` parameter. This example includes an optional `searchFields` parameter that constrains text search to specific fields. - + ```http ### Run a query POST {{baseUrl}}/indexes/hotels-quickstart/docs/search?api-version=2023-11-01 HTTP/1.1 @@ -333,7 +333,7 @@ DELETE {{baseUrl}}/indexes/hotels-quickstart?api-version=2023-11-01 HTTP/1.1 api-key: {{apiKey}} ``` -## Next steps +## Next step Now that you're familiar with the REST client and making REST calls to Azure AI Search, try another quickstart that demonstrates vector support. diff --git a/articles/search/search-get-started-retrieval-augmented-generation.md b/articles/search/search-get-started-retrieval-augmented-generation.md deleted file mode 100644 index 1c93cd94b815c..0000000000000 --- a/articles/search/search-get-started-retrieval-augmented-generation.md +++ /dev/null @@ -1,134 +0,0 @@ ---- -title: 'Quickstart: RAG app' -titleSuffix: Azure AI Search -description: Use Azure OpenAI Studio to chat with a search index on Azure AI Search. Explore the Retrieval Augmented Generation (RAG) pattern for your search solution. - -author: HeidiSteen -ms.author: heidist -ms.service: cognitive-search -ms.custom: -ms.topic: quickstart -ms.date: 01/25/2024 ---- - -# Quickstart: Chat with your search index in Azure OpenAI Studio - -Get started with generative search using Azure OpenAI Studio's **Add your own data** option to implement a Retrieval Augmented Generation (RAG) experience powered by Azure AI Search. - -**Add your own data** gives you built-in data preprocessing (text extraction and clean up), data chunking, embedding, and indexing. You can stand up a chat experience quickly, experiment with prompts over your own data, and gain important insights as to how your content performs before writing any code. - -In this quickstart: - -> [!div class="checklist"] -> + Deploy Azure OpenAI models -> + Download sample PDFs -> + Configure data processing -> + Chat with your data in the Azure OpenAI Studio playground -> + Test your index with different chat models, configurations, and history - -## Prerequisites - -+ [An Azure subscription](https://azure.microsoft.com/free/) - -+ [Azure OpenAI](https://aka.ms/oai/access) - -+ [Azure Storage](/azure/storage/common/storage-account-create) - -+ [Azure AI Search](search-create-app-portal.md), in any region, on a billable tier (Basic and higher), preferably with [semantic ranking enabled](semantic-how-to-enable-disable.md) - -+ Contributor permissions in the Azure subscription for creating resources - -+ Download the sample famous-speeches-pdf PDFs in [azure-search-sample-data](https://github.com/Azure-Samples/azure-search-sample-data/tree/main/famous-speeches-pdf). - - For this quickstart, we recommend starting with smaller files so that you can conserve [vector storage](vector-search-index-size.md) and [Azure OpenAI quota](/azure/ai-services/openai/quotas-limits) for other work. - -## Set up model deployments - -1. Start [Azure OpenAI Studio](https://oai.azure.com/portal). - -1. Sign in, select your Azure subscription and Azure OpenAI resource, and then select **Use resource**. - -1. Under **Management > Deployments**, find or create a deployment for each of the following models: - - + [text-embedding-ada-002](/azure/ai-services/openai/concepts/models#embeddings) - + [gpt-35-turbo](/azure/ai-services/openai/concepts/models#gpt-35) - - Deploy more *chat* models if you want to compare them using your data. *Fine-tuning* models like Text-Davinci-002 aren't supported for this scenario. - - If you create new deployments, the default configurations are suited for this tutorial. It's helpful to name each deployment after the model. For example, "text-embedding-ada-002" as the deployment name of the text-embedding-ada-002 model. - -## Generate a vector store for the playground - -1. Sign in to the [Azure OpenAI Studio](https://oai.azure.com/portal). - -1. On the **Chat** page under **Playground**, select **Add your data (preview)**. - -1. Select **Add data source**. - -1. From the dropdown list, select **Upload files**. - - :::image type="content" source="media/search-get-started-rag/azure-openai-data-source.png" lightbox="media/search-get-started-rag/azure-openai-data-source.png" alt-text="Screenshot of the upload files option."::: - -1. In Data source, select your Azure Blob storage resource. Enable cross-origin scripting if prompted. - -1. Select your Azure AI Search resource. - -1. Provide an index name that's unique in your search service. - -1. Check **Add vector search to this search index.** This option tokenizes your content and generates embeddings. - -1. Select **Azure OpenaI - text-embedding-ada-002**. This embedding model accepts a maximum of 8192 tokens for each chunk. Data chunking is internal and nonconfigurable. - -1. Check the acknowledgment that Azure AI Search is a billable service. If you're using an existing search service, there's no extra charge for vector store unless you add semantic ranking. If you're creating a new service, Azure AI Search becomes billable upon service creation. - -1. Select **Next**. - -1. In Upload files, select the four files and then select **Upload**. File size limit is 16 MB. - -1. Select **Next**. - -1. In Data Management, choose **Hybrid + semantic** if [semantic ranking is enabled](semantic-how-to-enable-disable.md) on your search service. If semantic ranking is disabled, choose **Hybrid (vector + keyword)**. [Hybrid](hybrid-search-overview.md) is a better choice because vector (similarity) search and keyword search execute the same query input in parallel, which can produce a more relevant response. - - :::image type="content" source="media/search-get-started-rag/azure-openai-data-manage.png" lightbox="media/search-get-started-rag/azure-openai-data-manage.png" alt-text="Screenshot of the data management options."::: - -1. Acknowledge that vectorization of the sample data is billed at the usage rate of the Azure OpenAI embedding model. - -1. Select **Next**, and then select **Review and Finish**. - -## Chat with your data - -The playground gives you options for configuring and monitoring chat. On the right, model configuration determines which model formulates an answer using the search results from Azure AI Search. The input token progress indicator keeps track of the token count of the question you submit. - -Advanced settings on the left determine how much flexibility the chat model has in supplementing the grounding data, and how many chunks are provided to the model to generate its response. - -+ Strictness level 5 means no supplementation. Only your grounding data is used, which means the search engine plays a large role in the quality of the response. Semantic ranking can be helpful in this scenario because the ranking models do a better job of inferring the intent of the query. Lower levels of strictness produce more verbose answers, but might also include information that isn't in your index. - -+ Retrieved documents are the number of matching search results used to answer the question. It's capped at 20 to minimize latency and to stay under the model input limits. - - :::image type="content" source="media/search-get-started-rag/azure-openai-studio-advanced-settings.png" alt-text="Screenshot of the advanced settings."::: - -1. Start with these advanced settings: - - + Verify the **Limit responses to your data content** option is selected. - + Strictness set to 3 or 4. - + Retrieved documents set to 20. Maximum documents give the model more information to work with when generating responses. The tradeoff for maximum documents is increased query latency, but you can experiment with chat replay to find the right balance. - -1. Send your first query. The chat models perform best in question and answer exercises. For example, "who gave the Gettysburg speech" or "when was the Gettysburg speech delivered". - - More complex queries, such as "why was Gettysburg important", perform better if the model has some latitude to answer (lower levels of strictness) or if semantic ranking is enabled. - - Queries that require deeper analysis or language understanding, such as "how many speeches are in the vector store", will probably fail. Remember that the search engine looks for chunks having exact or similar terms, phrases, or construction to the query. And while the model might understand the question, if search results are chunks from speeches, it's not the right information to answer that kind of question. - - Finally, chats are constrained by the number of documents (chunks) returned in the response (limited to 3-20 in Azure OpenAI Studio playground). As you can imagine, posing a question about "all of the titles" requires a full scan of the entire vector store. You could modify the generated code (assuming you [deploy the solution](/azure/ai-services/openai/use-your-data-quickstart#deploy-your-model)) to allow for [service-side exhaustive search](vector-search-how-to-create-index.md#add-a-vector-search-configuration) on your queries. - - :::image type="content" source="media/search-get-started-rag/chat-results.png" lightbox="media/search-get-started-rag/chat-results.png" alt-text="Screenshot of a chat session."::: - -## Next steps - -In the playground, it's easy to start over with different data and configurations and compare the results. If you didn't try **Hybrid + semantic** the first time, perhaps try again with [semantic ranking enabled](semantic-how-to-enable-disable.md). - -If you need customization and tuning that the playground can't provide, take a look at code samples that demonstrate the full range of APIs for RAG applications based on Azure AI Search. Samples are available in [Python](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-python), [C#](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-dotnet), and [JavaScript](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-javascript). - -## Clean up - -Azure AI Search is a billable resource for as long as the service exists. If it's no longer needed, delete it from your subscription to avoid charges. \ No newline at end of file diff --git a/articles/search/search-get-started-vector.md b/articles/search/search-get-started-vector.md index ff6b4b5af5513..380ed71df5117 100644 --- a/articles/search/search-get-started-vector.md +++ b/articles/search/search-get-started-vector.md @@ -138,7 +138,7 @@ The index schema is organized around hotels content. Sample data consists of vec "filterable": true, "retrievable": true, "sortable": false, - "facetable": true, + "facetable": true }, { "name": "Address", diff --git a/articles/search/search-howto-index-encrypted-blobs.md b/articles/search/search-howto-index-encrypted-blobs.md index 1c45b0dab017c..e593c9df38844 100644 --- a/articles/search/search-howto-index-encrypted-blobs.md +++ b/articles/search/search-howto-index-encrypted-blobs.md @@ -11,7 +11,7 @@ ms.custom: - ignite-2023 ms.service: cognitive-search ms.topic: tutorial -ms.date: 01/28/2022 +ms.date: 03/18/2024 --- # Tutorial: Index and enrich encrypted blobs for full-text search in Azure AI Search @@ -20,7 +20,7 @@ This tutorial shows you how to use [Azure AI Search](search-what-is-azure-search Normally, an indexer can't extract content from encrypted files because it doesn't have access to the customer-managed encryption key in [Azure Key Vault](../key-vault/general/overview.md). However, by leveraging the [DecryptBlobFile custom skill](https://github.com/Azure-Samples/azure-search-power-skills/blob/main/Utils/DecryptBlobFile), followed by the [Document Extraction skill](cognitive-search-skill-document-extraction.md), you can provide controlled access to the key to decrypt the files and then extract content from them. This unlocks the ability to index and enrich these documents without compromising the encryption status of your stored documents. -Starting with previously encrypted whole documents (unstructured text) such as PDF, HTML, DOCX, and PPTX in Azure Blob Storage, this tutorial uses Postman and the Search REST APIs to perform the following tasks: +Starting with previously encrypted whole documents (unstructured text) such as PDF, HTML, DOCX, and PPTX in Azure Blob Storage, this tutorial uses a REST client and the Search REST APIs to perform the following tasks: > [!div class="checklist"] > + Define a pipeline that decrypts the documents and extracts text from them. @@ -40,8 +40,6 @@ If you don't have an Azure subscription, open a [free account](https://azure.mic + [Azure Key Vault](https://azure.microsoft.com/services/key-vault/) in the same subscription as Azure AI Search. The key vault must have **soft-delete** and **purge protection** enabled. -+ [Postman app](https://www.postman.com/downloads/) - Custom skill deployment creates an Azure Function app and an Azure Storage account. Since these resources are created for you, they aren't listed as a prerequisite. When you're finished with this tutorial, remember to clean up the resources so that you aren't billed for services you're not using. > [!NOTE] @@ -63,7 +61,7 @@ Operationally, the DecryptBlobFile skill takes the URL and SAS token for each bl 1. Select **Review + create**, make sure you agree to the terms, and then select **Create** to deploy the Azure Function. - :::image type="content" source="media/indexing-encrypted-blob-files/arm-template.png" alt-text="Screenshot of the arm template page in Azure portal." border="true"::: + :::image type="content" source="media/indexing-encrypted-blob-files/arm-template.png" alt-text="Screenshot of the ARM template page in Azure portal." border="true"::: 1. Wait for the deployment to finish. @@ -109,45 +107,27 @@ You should have an Azure Function app that contains the decryption logic and an All requests require an api-key in the header of every request sent to your service. A valid key establishes trust, on a per request basis, between the application sending the request and the service that handles it. -## 2 - Set up Postman - -Install and set up Postman. - -### Download and install Postman - -1. Download the [Postman collection source code](https://github.com/Azure-Samples/azure-search-rest-samples/blob/main/index-encrypted-blobs/Index%20encrypted%20Blob%20files.postman_collection.json). - -1. Select **File** > **Import** to import the source code into Postman. - -1. Select the **Collections** tab, and then select the **...** (ellipsis) button. +## Set up a REST client -1. Select **Edit**. +Create variables for endpoints and keys: - ![Postman app showing navigation](media/indexing-encrypted-blob-files/postman-edit-menu.jpg "Go to the Edit menu in Postman") - -1. In the **Edit** dialog box, select the **Variables** tab. - - ![Postman app variables tab](media/indexing-encrypted-blob-files/postman-variables-window.jpg "Postman's variables window") - -1. On the **Variables** tab, provide the values that you've collected in the previous steps. Postman swaps in a value every time it encounters a specific variable inside double braces. For example, Postman replaces the symbol `{{admin-key}}` with the current value that you set for the search service admin API key. - - | Variable | Where to get it | - |-------------|-----------------| - | `admin-key` | On the **Keys** page of the Azure AI Search service. | - | `search-service-name` | The name of the Azure AI Search service. The URL is `https://{{search-service-name}}.search.windows.net`. | - | `storage-connection-string` | In the storage account, on the **Access Keys** tab, select **key1** > **Connection string**. | - | `storage-container-name` | The name of the blob container that has the encrypted files to be indexed. | - | `function-uri` | In the Azure Function under **Essentials** on the main page. | - | `function-code` | In the Azure Function, by navigating to **App keys**, clicking to show the **default** key, and copying the value. | - | `api-version` | Leave as **2020-06-30**. | - | `datasource-name` | Leave as **encrypted-blobs-ds**. | - | `index-name` | Leave as **encrypted-blobs-idx**. | - | `skillset-name` | Leave as **encrypted-blobs-ss**. | - | `indexer-name` | Leave as **encrypted-blobs-ixr**. | +| Variable | Where to get it | +|-------------|-----------------| +| `admin-key` | On the **Keys** page of the Azure AI Search service. | +| `search-service-name` | The name of the Azure AI Search service. The URL is `https://{{search-service-name}}.search.windows.net`. | +| `storage-connection-string` | In the storage account, on the **Access Keys** tab, select **key1** > **Connection string**. | +| `storage-container-name` | The name of the blob container that has the encrypted files to be indexed. | +| `function-uri` | In the Azure Function under **Essentials** on the main page. | +| `function-code` | In the Azure Function, by navigating to **App keys**, clicking to show the **default** key, and copying the value. | +| `api-version` | Leave as **2020-06-30**. | +| `datasource-name` | Leave as **encrypted-blobs-ds**. | +| `index-name` | Leave as **encrypted-blobs-idx**. | +| `skillset-name` | Leave as **encrypted-blobs-ss**. | +| `indexer-name` | Leave as **encrypted-blobs-ixr**. | ### Review and run each request -In this section, you'll issue four HTTP requests: +Use HTTP requests to create the objects of an enrichment pipeline: + **PUT request to create the index**: This search index holds the data that Azure AI Search uses and returns. @@ -157,15 +137,13 @@ In this section, you'll issue four HTTP requests: + **PUT request to create the indexer**: Running the indexer retrieves the blobs, applies the skillset, and indexes and stores the results. You must run this request last. The custom skill in the skillset invokes the decryption logic. -To issue the requests, in Postman, select the tab for the requests and select **Send** for each of them. - -## 3 - Monitor indexing +## Monitor indexing -Indexing and enrichment commence as soon as you submit the Create Indexer request. Depending on how many documents are in your storage account, indexing can take a while. To find out whether the indexer is still running, use the **Get Indexer Status** request provided as part of the Postman collection and review the response to learn whether the indexer is running, or to view error and warning information. +Indexing and enrichment commence as soon as you submit the Create Indexer request. Depending on how many documents are in your storage account, indexing can take a while. To find out whether the indexer is still running, send a **Get Indexer Status** request and review the response to learn whether the indexer is running, or to view error and warning information. If you are using the Free tier, the following message is expected: `"Could not extract content or metadata from your document. Truncated extracted text to '32768' characters"`. This message appears because blob indexing on the Free tier has a [32K limit on character extraction](search-limits-quotas-capacity.md#indexer-limits). You won't see this message for this data set on higher tiers. -## 4 - Search +## Search your content After indexer execution is finished, you can run some queries to verify that the data has been successfully decrypted and indexed. Navigate to your Azure AI Search service in the portal, and use the [search explorer](search-explorer.md) to run queries over the indexed data. diff --git a/articles/search/search-howto-indexing-azure-blob-storage.md b/articles/search/search-howto-indexing-azure-blob-storage.md index 85095d52c14df..cb71101df4291 100644 --- a/articles/search/search-howto-indexing-azure-blob-storage.md +++ b/articles/search/search-howto-indexing-azure-blob-storage.md @@ -10,7 +10,7 @@ ms.service: cognitive-search ms.custom: - ignite-2023 ms.topic: how-to -ms.date: 05/18/2023 +ms.date: 03/18/2024 --- # Index data from Azure Blob Storage @@ -29,7 +29,7 @@ Blob indexers are frequently used for both [AI enrichment](cognitive-search-conc + Blobs providing text content and metadata. If blobs contain binary content or unstructured text, consider adding [AI enrichment](cognitive-search-concept-intro.md) for image and natural language processing. Blob content can’t exceed the [indexer limits](search-limits-quotas-capacity.md#indexer-limits) for your search service tier. -+ A supported network configuration and data access. At a minimum, you'll need read permissions in Azure Storage. A storage connection string that includes an access key will give you read access to storage content. If instead you're using Microsoft Entra logins and roles, make sure the [search service's managed identity](search-howto-managed-identities-data-sources.md) has **Storage Blob Data Reader** permissions. ++ A supported network configuration and data access. At a minimum, you need read permissions in Azure Storage. A storage connection string that includes an access key gives you read access to storage content. If instead you're using Microsoft Entra logins and roles, make sure the [search service's managed identity](search-howto-managed-identities-data-sources.md) has **Storage Blob Data Reader** permissions. By default, both search and storage accept requests from public IP addresses. If network security isn't an immediate concern, you can index blob data using just the connection string and read permissions. When you're ready to add network protections, see [Indexer access to content protected by Azure network security features](search-indexer-securing-resources.md) for guidance about data access. @@ -58,7 +58,7 @@ Before you set up indexing, review your source data to determine whether any cha | "AzureSearch_Skip" |`"true"` |Instructs the blob indexer to completely skip the blob. Neither metadata nor content extraction is attempted. This is useful when a particular blob fails repeatedly and interrupts the indexing process. | | "AzureSearch_SkipContent" |`"true"` | Skips content and extracts just the metadata. this is equivalent to the `"dataToExtract" : "allMetadata"` setting described in [configuration settings](#configure-and-run-the-blob-indexer) , just scoped to a particular blob. | -If you don't set up inclusion or exclusion criteria, the indexer will report an ineligible blob as an error and move on. If enough errors occur, processing might stop. You can specify error tolerance in the indexer [configuration settings](#configure-and-run-the-blob-indexer). +If you don't set up inclusion or exclusion criteria, the indexer reports an ineligible blob as an error and move on. If enough errors occur, processing might stop. You can specify error tolerance in the indexer [configuration settings](#configure-and-run-the-blob-indexer). An indexer typically creates one search document per blob, where the text content and metadata are captured as searchable fields in an index. If blobs are whole files, you can potentially parse them into [multiple search documents](search-howto-index-one-to-many-blobs.md). For example, you can parse rows in a [CSV file](search-howto-index-csv-blobs.md) to create one search document per row. @@ -71,13 +71,13 @@ Textual content of a document is extracted into a string field named "content". ### Indexing blob metadata -Blob metadata can also be indexed, and that's helpful if you think any of the standard or custom metadata properties will be useful in filters and queries. +Blob metadata can also be indexed, and that's helpful if you think any of the standard or custom metadata properties are useful in filters and queries. User-specified metadata properties are extracted verbatim. To receive the values, you must define field in the search index of type `Edm.String`, with same name as the metadata key of the blob. For example, if a blob has a metadata key of `Sensitivity` with value `High`, you should define a field named `Sensitivity` in your search index and it will be populated with the value `High`. Standard blob metadata properties can be extracted into similarly named and typed fields, as listed below. The blob indexer automatically creates internal field mappings for these blob metadata properties, converting the original hyphenated name ("metadata-storage-name") to an underscored equivalent name ("metadata_storage_name"). -You still have to add the underscored fields to the index definition, but you can omit field mappings because the indexer will make the association automatically. +You still have to add the underscored fields to the index definition, but you can omit field mappings because the indexer make the association automatically. + **metadata_storage_name** (`Edm.String`) - the file name of the blob. For example, if you have a blob /my-container/my-folder/subfolder/resume.pdf, the value of this field is `resume.pdf`. @@ -99,7 +99,6 @@ It's important to point out that you don't need to define fields for all of the Currently, indexing [blob index tags](../storage/blobs/storage-blob-index-how-to.md) isn't supported by this indexer. - ## Define the data source The data source definition specifies the data to index, credentials, and policies for identifying changes in the data. A data source is defined as an independent resource so that it can be used by multiple indexers. @@ -169,7 +168,6 @@ In a [search index](search-what-is-an-index.md), add fields to accept the conten { "name": "metadata_storage_size", "type": "Edm.Int64", "searchable": false, "filterable": true, "sortable": true }, { "name": "metadata_storage_content_type", "type": "Edm.String", "searchable": false, "filterable": true, "sortable": true }, ] - } } ``` @@ -311,7 +309,8 @@ PUT /indexers/[indexer name]?api-version=2020-06-30 "failOnUnsupportedContentType" : false, "failOnUnprocessableDocument" : false, "indexStorageMetadataOnlyForOversizedDocuments": false - } + } + } } ``` @@ -323,9 +322,7 @@ PUT /indexers/[indexer name]?api-version=2020-06-30 |"failOnUnprocessableDocument" | true or false | If the indexer is unable to process a document of an otherwise supported content type, specify whether to continue or fail the job. | | "indexStorageMetadataOnlyForOversizedDocuments" | true or false | Oversized blobs are treated as errors by default. If you set this parameter to true, the indexer will try to index its metadata even if the content can’t be indexed. For limits on blob size, see [service Limits](search-limits-quotas-capacity.md). | -## Next steps - -You can now control how you [run the indexer](search-howto-run-reset-indexers.md), [monitor status](search-howto-monitor-indexers.md), or [schedule indexer execution](search-howto-schedule-indexers.md). The following articles apply to indexers that pull content from Azure Storage: +## See also + [Change detection and deletion detection](search-howto-index-changed-deleted-blobs.md) + [Index large data sets](search-howto-large-index.md) diff --git a/articles/search/search-indexer-howto-access-private.md b/articles/search/search-indexer-howto-access-private.md index c03872243d94a..2101e9e88900f 100644 --- a/articles/search/search-indexer-howto-access-private.md +++ b/articles/search/search-indexer-howto-access-private.md @@ -45,8 +45,13 @@ Only your search service can use the private links that it creates, and there ca Once you set up the private link, it's used automatically whenever the search service connects to that PaaS resource. You don't need to modify the connection string or alter the client you're using to issue the requests, although the device used for the connection must connect using an authorized IP in the Azure PaaS resource's firewall. -> [!NOTE] -> There are two scenarios for using [Azure Private Link](../private-link/private-link-overview.md) and Azure AI Search together. Creating a shared private link is one scenario, relevant when an *outbound* connection to Azure PaaS requires a private connection. The second scenario is [configure search for a private *inbound* connection](service-create-private-endpoint.md) from clients that run in a virtual network. While both scenarios have a dependency on Azure Private Link, they are independent. You can create a shared private link without having to configure your own search service for a private endpoint. +There are two scenarios for using [Azure Private Link](../private-link/private-link-overview.md) and Azure AI Search together. + ++ Scenario one: create a shared private link when an *outbound* (indexer) connection to Azure PaaS requires a private connection. + ++ Scenario two: [configure search for a private *inbound* connection](service-create-private-endpoint.md) from clients that run in a virtual network. + +While both scenarios have a dependency on Azure Private Link, they are independent. You can create a shared private link without having to configure your own search service for a private endpoint. ### Limitations @@ -353,10 +358,6 @@ This step shows you how to configure the indexer to run in the private environme } ``` - Following is an example of the request in Postman. - - ![Screenshot showing the creation of an indexer on the Postman user interface.](media\search-indexer-howto-secure-access\create-indexer.png) - After the indexer is created successfully, it should connect to the Azure resource over the private endpoint connection. You can monitor the status of the indexer by using the [Indexer Status API](/rest/api/searchservice/get-indexer-status). > [!NOTE] @@ -366,7 +367,7 @@ After the indexer is created successfully, it should connect to the Azure resour 1. If you haven't done so already, verify that your Azure PaaS resource refuses connections from the public internet. If connections are accepted, review the DNS settings in the **Networking** page of your Azure PaaS resource. -1. Choose a tool that can invoke an outbound request scenario, such as an indexer connection to a private endpoint. An easy choice is using the **Import data** wizard, but you can also try the Postman app and REST APIs for more precision. Assuming that your search service isn't also configured for a private connection, the REST client connection to Search can be over the public internet. +1. Choose a tool that can invoke an outbound request scenario, such as an indexer connection to a private endpoint. An easy choice is using the **Import data** wizard, but you can also try a REST client and REST APIs for more precision. Assuming that your search service isn't also configured for a private connection, the REST client connection to search can be over the public internet. 1. Set the connection string to the private Azure PaaS resource. The format of the connection string doesn't change for shared private link. The search service invokes the shared private link internally. diff --git a/articles/search/search-query-troubleshoot-collection-filters.md b/articles/search/search-query-troubleshoot-collection-filters.md index b6e3830651be9..41a63cd0d9a90 100644 --- a/articles/search/search-query-troubleshoot-collection-filters.md +++ b/articles/search/search-query-troubleshoot-collection-filters.md @@ -9,11 +9,11 @@ ms.service: cognitive-search ms.custom: - ignite-2023 ms.topic: conceptual -ms.date: 01/30/2023 +ms.date: 03/18/2024 --- # Troubleshooting OData collection filters in Azure AI Search -To [filter](query-odata-filter-orderby-syntax.md) on collection fields in Azure AI Search, you can use the [`any` and `all` operators](search-query-odata-collection-operators.md) together with **lambda expressions**. A lambda expression is a sub-filter that is applied to each element of a collection. +To [filter](query-odata-filter-orderby-syntax.md) on collection fields in Azure AI Search, you can use the [`any` and `all` operators](search-query-odata-collection-operators.md) together with **lambda expressions**. A lambda expression is a subfilter that is applied to each element of a collection. Not every feature of filter expressions is available inside a lambda expression. Which features are available differs depending on the data type of the collection field that you want to filter. This can result in an error if you try to use a feature in a lambda expression that isn't supported in that context. If you're encountering such errors while trying to write a complex filter over collection fields, this article will help you troubleshoot the problem. @@ -23,11 +23,11 @@ The following table lists errors that you might encounter when trying to execute | Error message | Situation | Details| | --- | --- | --- | -| The function 'ismatch' has no parameters bound to the range variable 's'. Only bound field references are supported inside lambda expressions ('any' or 'all'). However, you can change your filter so that the 'ismatch' function is outside the lambda expression and try again. | Using `search.ismatch` or `search.ismatchscoring` inside a lambda expression | [Rules for filtering complex collections](#bkmk_complex) | +| The function `ismatch` has no parameters bound to the range variable 's'. Only bound field references are supported inside lambda expressions ('any' or 'all'). However, you can change your filter so that the `ismatch` function is outside the lambda expression and try again. | Using `search.ismatch` or `search.ismatchscoring` inside a lambda expression | [Rules for filtering complex collections](#bkmk_complex) | | Invalid lambda expression. Found a test for equality or inequality where the opposite was expected in a lambda expression that iterates over a field of type Collection(Edm.String). For 'any', use expressions of the form 'x eq y' or 'search.in(...)'. For 'all', use expressions of the form 'x ne y', 'not (x eq y)', or 'not search.in(...)'. | Filtering on a field of type `Collection(Edm.String)` | [Rules for filtering string collections](#bkmk_strings) | -| Invalid lambda expression. Found an unsupported form of complex Boolean expression. For 'any', use expressions that are 'ORs of ANDs', also known as Disjunctive Normal Form. For example: `(a and b) or (c and d)` where a, b, c, and d are comparison or equality sub-expressions. For 'all', use expressions that are 'ANDs of ORs', also known as Conjunctive Normal Form. For example: `(a or b) and (c or d)` where a, b, c, and d are comparison or inequality sub-expressions. Examples of comparison expressions: 'x gt 5', 'x le 2'. Example of an equality expression: 'x eq 5'. Example of an inequality expression: 'x ne 5'. | Filtering on fields of type `Collection(Edm.DateTimeOffset)`, `Collection(Edm.Double)`, `Collection(Edm.Int32)`, or `Collection(Edm.Int64)` | [Rules for filtering comparable collections](#bkmk_comparables) | +| Invalid lambda expression. Found an unsupported form of complex Boolean expression. For 'any', use expressions that are 'ORs of ANDs', also known as Disjunctive Normal Form. For example: `(a and b) or (c and d)` where a, b, c, and d are comparison or equality subexpressions. For 'all', use expressions that are 'ANDs of ORs', also known as Conjunctive Normal Form. For example: `(a or b) and (c or d)` where a, b, c, and d are comparison or inequality subexpressions. Examples of comparison expressions: 'x gt 5', 'x le 2'. Example of an equality expression: 'x eq 5'. Example of an inequality expression: 'x ne 5'. | Filtering on fields of type `Collection(Edm.DateTimeOffset)`, `Collection(Edm.Double)`, `Collection(Edm.Int32)`, or `Collection(Edm.Int64)` | [Rules for filtering comparable collections](#bkmk_comparables) | | Invalid lambda expression. Found an unsupported use of geo.distance() or geo.intersects() in a lambda expression that iterates over a field of type Collection(Edm.GeographyPoint). For 'any', make sure you compare geo.distance() using the 'lt' or 'le' operators and make sure that any usage of geo.intersects() isn't negated. For 'all', make sure you compare geo.distance() using the 'gt' or 'ge' operators and make sure that any usage of geo.intersects() is negated. | Filtering on a field of type `Collection(Edm.GeographyPoint)` | [Rules for filtering GeographyPoint collections](#bkmk_geopoints) | -| Invalid lambda expression. Complex Boolean expressions aren't supported in lambda expressions that iterate over fields of type Collection(Edm.GeographyPoint). For 'any', join sub-expressions with 'or'; 'and' isn't supported. For 'all', oin sub-expressions with 'and'; 'or' isn't supported. | Filtering on fields of type `Collection(Edm.String)` or `Collection(Edm.GeographyPoint)` | [Rules for filtering string collections](#bkmk_strings)

[Rules for filtering GeographyPoint collections](#bkmk_geopoints) | +| Invalid lambda expression. Complex Boolean expressions aren't supported in lambda expressions that iterate over fields of type Collection(Edm.GeographyPoint). For 'any', join subexpressions with 'or'; 'and' isn't supported. For 'all', join subexpressions with 'and'; 'or' isn't supported. | Filtering on fields of type `Collection(Edm.String)` or `Collection(Edm.GeographyPoint)` | [Rules for filtering string collections](#bkmk_strings)

[Rules for filtering GeographyPoint collections](#bkmk_geopoints) | | Invalid lambda expression. Found a comparison operator (one of 'lt', 'le', 'gt', or 'ge'). Only equality operators are allowed in lambda expressions that iterate over fields of type Collection(Edm.String). For 'any', se expressions of the form 'x eq y'. For 'all', use expressions of the form 'x ne y' or 'not (x eq y)'. | Filtering on a field of type `Collection(Edm.String)` | [Rules for filtering string collections](#bkmk_strings) | @@ -65,7 +65,7 @@ For example, these expressions are allowed: - `tags/any(t: t eq 'books' or t eq 'games')` - `tags/all(t: t ne 'books' and not (t eq 'games'))` -while these expressions aren't allowed: +While these expressions aren't allowed: - `tags/any(t: t ne 'books')` - `tags/any(t: not search.in(t, 'books, games, toys'))` @@ -102,11 +102,11 @@ Expressions such as the following aren't allowed for Boolean collections: ## Rules for filtering GeographyPoint collections -Values of type `Edm.GeographyPoint` in a collection can’t be compared directly to each other. Instead, they must be used as parameters to the `geo.distance` and `geo.intersects` functions. The `geo.distance` function in turn must be compared to a distance value using one of the comparison operators `lt`, `le`, `gt`, or `ge`. These rules also apply to non-collection Edm.GeographyPoint fields. +Values of type `Edm.GeographyPoint` in a collection can’t be compared directly to each other. Instead, they must be used as parameters to the `geo.distance` and `geo.intersects` functions. The `geo.distance` function in turn must be compared to a distance value using one of the comparison operators `lt`, `le`, `gt`, or `ge`. These rules also apply to noncollection Edm.GeographyPoint fields. Like string collections, `Edm.GeographyPoint` collections have some rules for how the geo-spatial functions can be used and combined in the different types of lambda expressions: -- Which comparison operators you can use with the `geo.distance` function depends on the type of lambda expression. For `any`, you can use only `lt` or `le`. For `all`, you can use only `gt` or `ge`. You can negate expressions involving `geo.distance`, but you'll have to change the comparison operator (`geo.distance(...) lt x` becomes `not (geo.distance(...) ge x)` and `geo.distance(...) le x` becomes `not (geo.distance(...) gt x)`). +- Which comparison operators you can use with the `geo.distance` function depends on the type of lambda expression. For `any`, you can use only `lt` or `le`. For `all`, you can use only `gt` or `ge`. You can negate expressions involving `geo.distance`, but you have to change the comparison operator (`geo.distance(...) lt x` becomes `not (geo.distance(...) ge x)` and `geo.distance(...) le x` becomes `not (geo.distance(...) gt x)`). - In the body of an `all`, the `geo.intersects` function must be negated. Conversely, in the body of an `any`, the `geo.intersects` function must not be negated. - In the body of an `any`, geo-spatial expressions can be combined using `or`. In the body of an `all`, such expressions can be combined using `and`. @@ -189,7 +189,7 @@ Second, referencing fields that aren't *bound* to the range variable (so-called 1. `stores/any(s: s/amenities/any(a: a eq 'parking')) and details/margin gt 0.5` 1. `stores/any(s: s/amenities/any(a: a eq 'parking' and details/margin gt 0.5))` -The first expression will be allowed, while the second form will be rejected because `details/margin` isn't bound to the range variable `s`. +The first expression is allowed, while the second form is rejected because `details/margin` isn't bound to the range variable `s`. This rule also extends to expressions that have variables bound in an outer scope. Such variables are free with respect to the scope in which they appear. For example, the first expression is allowed, while the second equivalent expression isn't allowed because `s/name` is free with respect to the scope of the range variable `a`: diff --git a/articles/virtual-desktop/includes/include-whats-new-client-ios-ipados.md b/articles/virtual-desktop/includes/include-whats-new-client-ios-ipados.md index 73bc67ab3a415..5f7b86aca5e4d 100644 --- a/articles/virtual-desktop/includes/include-whats-new-client-ios-ipados.md +++ b/articles/virtual-desktop/includes/include-whats-new-client-ios-ipados.md @@ -2,7 +2,7 @@ author: dknappettmsft ms.author: daknappe ms.topic: include -ms.date: 01/19/2024 +ms.date: 03/19/2024 --- ## Latest client versions @@ -11,8 +11,18 @@ The following table lists the current versions available for the public and beta | Release | Latest version | Download | |---------|----------------|----------| -| Public | 10.5.4 | [App Store](https://apps.apple.com/app/microsoft-remote-desktop/id714464092) | -| Beta | 10.5.4 | [TestFlight](https://testflight.apple.com/join/vkLIflUJ) | +| Public | 10.5.5 | [App Store](https://apps.apple.com/app/microsoft-remote-desktop/id714464092) | +| Beta | 10.5.5 | [TestFlight](https://testflight.apple.com/join/vkLIflUJ) | + +## Updates for version 10.5.5 + +*Published: February 24, 2024* + +In this release, we made the following changes: + +- Fixed accessibility issues. +- Fixed bugs reported by users and internal telemetry. +- As of this release, the iOS client only supports iOS 16 and later. ## Updates for version 10.5.4 @@ -21,7 +31,7 @@ The following table lists the current versions available for the public and beta >[!NOTE] > There is no version 10.5.3. -In this release, we've made the following changes: +In this release, we made the following changes: - Fixed theming update issues on iOS 17. - Addressed pop-up sheet layout bugs on iOS 17. @@ -36,7 +46,7 @@ In this release, we've made the following changes: *Published: October 24, 2023* -In this release, we've made the following changes: +In this release, we made the following changes: - Added support for dual monitors when using iPads with Stage Manager. - Addressed reported accessibility bugs. @@ -46,7 +56,7 @@ In this release, we've made the following changes: *Published: September 5th, 2023* -In this release, we've made the following changes: +In this release, we made the following changes: - Added support for displaying sessions on an external monitor. You can use this new feature with iPad and iPhone using AirPlay or a physical cable. - Added support for location redirection. To use this feature, you need access to your device location, and your session hosts must be running Windows 11 or later. @@ -55,7 +65,7 @@ In this release, we've made the following changes: *Published: July 10, 2023* -In this release, we've made the following changes: +In this release, we made the following changes: - Fixed an issue with IPv6 address resolution that was blocking connectivity. - Addressed a deadlock that could occur in server redirection scenarios. @@ -64,9 +74,9 @@ In this release, we've made the following changes: *Published: June 20, 2023* -In this release, we've made the following changes: +In this release, we made the following changes: -- We've changed the connection bar to always start expanded by default. You can minimize the connection bar by dragging it to a corner of the screen. To return the connection bar to its regular size, drag it to the center of the screen. +- We changed the connection bar to always start expanded by default. You can minimize the connection bar by dragging it to a corner of the screen. To return the connection bar to its regular size, drag it to the center of the screen. - You can now dismiss all in-app messages by swiping downwards. - Fixed an issue that caused graphics to look distorted in Lock to Landscape mode. @@ -74,15 +84,15 @@ In this release, we've made the following changes: *Published: May 17, 2023* -In this release we've made some tweaks around the behavior of the connection bar on iPads and fixed some bugs to keep things running smoothly. +In this release we made some tweaks around the behavior of the connection bar on iPads and fixed some bugs to keep things running smoothly. -We've made the following changes to the iPad connection bar: +We made the following changes to the iPad connection bar: - We fixed an issue that caused the connection bar to get stuck under the Stage Manager ellipsis menu. - The connection bar will now be docked on the right side of the screen when you turn your iPad on. The iOS client will also save the position you dock your screen in across all your iPad and iPhone devices. - We moved the Add a PC or Workspace button to the center of the toolbar at the bottom of the screen. -We've also made the following other changes: +We also made the following other changes: - Fixed an issue where session rotation wasn't working on iOS 16. - Resolved an issue where the search box in the Connection Center went out of focus when the user tried entering characters. @@ -92,7 +102,7 @@ We've also made the following other changes: *Published: March 7, 2023* -In this release, we've removed the global prompt for camera and microphone access when you first open and run the iOS client. Instead, whenever a connection bookmark or published resource requests access, you'll receive a prompt asking whether you want to give permission. +In this release, we removed the global prompt for camera and microphone access when you first open and run the iOS client. Instead, whenever a connection bookmark or published resource requests access, you'll receive a prompt asking whether you want to give permission. We also fixed some bugs and added some small additional features: @@ -108,7 +118,7 @@ We also fixed some bugs and added some small additional features: *Published: November 2, 2022* -In this release, we've made the following changes: +In this release, we made the following changes: - Fixed a WebSocket transport bug that affected some Azure Virtual Desktop deployments - Addressed accessibility compliance issues. @@ -117,14 +127,14 @@ In this release, we've made the following changes: *Published: October 4, 2022* -In this release, we've made targeted bug fixes and performance improvements, and also added new features. Here's what we've included: +In this release, we made targeted bug fixes and performance improvements, and also added new features. Here's what we included: - You can now use Apple Pencil to draw, write, and interact with remote sessions. - You can now see a live preview of the current active session when switching to the Connection Center from a remote session. - Gather logs for troubleshooting by going to **Settings** > **Troubleshooting**. - Review app highlights from previous versions by going to **Settings** > **About** > **Version Highlights**. -- We've made some small appearance changes to the connection bar user interface. -- We've fixed issues that affected locking to landscape or portrait on iOS 16. +- We made some small appearance changes to the connection bar user interface. +- We fixed issues that affected locking to landscape or portrait on iOS 16. ## Updates for version 10.4.3 @@ -152,7 +162,7 @@ This is a significant update with some new feature additions and lots of bug fix The biggest change in this release is that you can now dynamically change the orientation of the remote session to either landscape or portrait mode while connected to a machine running Windows 8.1, Windows Server 2012 R2 or later. You can set your orientation preferences in **Settings** > **Display**. -To work seamlessly with dynamic orientation, we've made updates to the following experiences: +To work seamlessly with dynamic orientation, we made updates to the following experiences: - The in-session immersive switcher has a revamped look and feel, and can accommodate both landscape and portrait orientation. - The on-screen keyboard has been redesigned to support portrait orientation. @@ -170,7 +180,7 @@ In addition, we’ve made the following improvements: - Updated the in-session connection bar to fade back after three seconds if you minimize it. - Added support for smooth scrolling in the connection center on ProMotion-compatible iPhones and iPads. -We've also made some updates to enhance Azure Virtual Desktop scenarios: +We also made some updates to enhance Azure Virtual Desktop scenarios: - Integrated the Microsoft Authentication Library (MSAL) or OneAuth component to improve current and future authentication scenarios. - Added eTag support to speed up Azure Virtual Desktop workspace refresh. @@ -188,7 +198,7 @@ In this release we added support for the iPad Mini 6 and addressed an issue with *Published: October 28, 2021* -In this release, we've added support for time zone redirection. This new feature fixes an issue in Windows 11 remote sessions that caused the screen to flicker, making the session unusable. +In this release, we added support for time zone redirection. This new feature fixes an issue in Windows 11 remote sessions that caused the screen to flicker, making the session unusable. ## Updates for version 10.3.1 @@ -200,7 +210,7 @@ In this release, we worked around a 0x907 (mismatched certificate) error code th Published: May 27, 2021* -In this release, we've made some significant updates to the shared underlying code that powers the Remote Desktop experience across all our clients. We've also added some new features and addressed bugs and crashes that were showing up in error reporting. +In this release, we made some significant updates to the shared underlying code that powers the Remote Desktop experience across all our clients. We also added some new features and addressed bugs and crashes that were showing up in error reporting. - You can now drag IME candidate window in the client. - Integrated Kerberos support in the CredSSP security protocol sequence. @@ -224,7 +234,7 @@ In this release, we made the following updates: *Published: 02/01/2021* -In this release, we've made the following changes to the connection bar and in-session user experience: +In this release, we made the following changes to the connection bar and in-session user experience: - You can now collapse the connection bar by moving it into one of the four corners of the screen. - On iPads and large iPhones you can dock the connection bar to the left or right edge of the screen. @@ -239,13 +249,13 @@ We also addressed some accessibility bugs and the following two issues: *Published: 12/15/2020* -In this release, we've fixed issues that caused crashes and interfered with the "Display Zoom View" setting. We've also tweaked the "Use Full Display" setting to only appear on applicable iPads and adjusted the available resolutions for iPhones and iPads. +In this release, we fixed issues that caused crashes and interfered with the "Display Zoom View" setting. We also tweaked the "Use Full Display" setting to only appear on applicable iPads and adjusted the available resolutions for iPhones and iPads. ## Updates for version 10.2.2 *Published: 11/23/2020* -In this release, we've addressed some bugs affecting users running iOS 14 and iPadOS 14. +In this release, we addressed some bugs affecting users running iOS 14 and iPadOS 14. ## Updates for version 10.2.1 @@ -274,7 +284,7 @@ In this release, we addressed some compatibility issues with iOS and iPadOS 14. *Published: 11/06/2020* -We've put together some bug fixes and small feature updates for this release. Here's what's new: +We put together some bug fixes and small feature updates for this release. Here's what's new: - Addressed an issue where the client would report a 0x5000007 error message when trying to connect to an RD Gateway server. - User account passwords updated in the credential UI are now saved after successfully signing in. @@ -288,7 +298,7 @@ We've put together some bug fixes and small feature updates for this release. He *Published: 11/06/2020* -We've put together some bug fixes and feature updates for this release. Here's what's new: +We put together some bug fixes and feature updates for this release. Here's what's new: - The input mode (Mouse Pointer or Touch mode) is now global across all active PC and RemoteApp connections. - Fixed an issue that prevented microphone redirection from working consistently. @@ -304,7 +314,7 @@ We've put together some bug fixes and feature updates for this release. Here's w *Published 8/17/2020* -In this update, we've addressed issues that were reported in this release. +In this update, we addressed issues that were reported in this release. - Fixed a crash that occurred for some users when subscribing to an Azure Virtual Desktop feed using non-brokered authentication. - Fixed the layout of workspace icons on the iPhone X, iPhone XS, and iPhone 11 Pro. @@ -313,7 +323,7 @@ In this update, we've addressed issues that were reported in this release. *Published: 11/06/2020* -Here’s what we've included in this release: +Here’s what we included in this release: - Fixed a bug that prevented typing in Korean. - Added support for F1 through F12, Home, End, PgUp and PgDn keys on hardware keyboards. @@ -325,20 +335,20 @@ Here’s what we've included in this release: - Resized the RD client mouse cursor to be consistent with the current client scale factor. - The client now checks for network connectivity before launching a workspace resource or PC connection. - Hitting the remapped Escape button or Cmd+. now cancels out of any credential prompt. -- We've added some animations and polish that appear when you move the mouse cursor around on iPads running iPadOS 13.4 or later. +- We added some animations and polish that appear when you move the mouse cursor around on iPads running iPadOS 13.4 or later. ## Updates for version 10.1.0 *Published: 11/06/2020* -In this release, we've made the following changes: +In this release, we made the following changes: - If you're using iPadOS 13.4 or later, can now control the remote session with a mouse or trackpad. - The client now supports the following Apple Magic Mouse 2 and Apple Magic Trackpad 2 gestures: left-click, left-drag, right-click, right-drag, horizontal and vertical scrolling, and local zooming. - For external mice, the client now supports left-click, left-drag, right-click, right-drag, middle-click, and vertical scrolling. - The client now supports keyboard shortcuts that use Ctrl, Alt, or Shift keys with the mouse or trackpad, including multi-select and range-select. - The client now supports the "Tap-to-Click" feature for the trackpad. -- We've updated the Mouse Pointer mode's right-click gesture to press-and-hold (not press-and-hold-and-release). On the iPhone client we've thrown in some taptic feedback when we detect the right-click gesture. +- We updated the Mouse Pointer mode's right-click gesture to press-and-hold (not press-and-hold-and-release). On the iPhone client we thrown in some taptic feedback when we detect the right-click gesture. - Added an option to disable NLA enforcement under **iOS Settings** > **RD Client**. - Mapped Control+Shift+Escape to Ctrl+Shift+Esc, where Escape is generated using a remapped key on iPadOS or Command+. - Mapped Command+F to Ctrl+F. @@ -351,13 +361,13 @@ In this release, we've made the following changes: *Published: 4/29/2020* -In this update we've added the ability to sort the PC list view (available on iPhone) by name or time last connected. +In this update we added the ability to sort the PC list view (available on iPhone) by name or time last connected. ## Updates for version 10.0.6 *Published: 3/31/2020* -In this release, we've made the following changes: +In this release, we made the following changes: - Fixed a number of VoiceOver accessibility issues. - Fixed an issue where users couldn't connect with Turkish credentials. @@ -371,7 +381,7 @@ In this release, we've made the following changes: *Published: 03/09/20* -We've put together some bug fixes and feature updates for this release. Here's what's new: +We put together some bug fixes and feature updates for this release. Here's what's new: - Launched RDP files are now automatically imported (look for the toggle in General settings). - You can now launch iCloud-based RDP files that haven't been downloaded in the Files app yet. @@ -396,7 +406,7 @@ We've put together some bug fixes and feature updates for this release. Here's w *Published: 02/03/20* -In this release, we've made the following changes: +In this release, we made the following changes: - Confirmation UI is now shown when deleting user accounts and gateways. - The search UI in the Connection Center has been slightly reworked. @@ -412,7 +422,7 @@ In this release, we've made the following changes: *Published: 01/16/20* -In this release, we've made the following changes: +In this release, we made the following changes: - Support for launching connections from RDP files and RDP URIs. - Workspace headers are now collapsible. @@ -431,7 +441,7 @@ In this release, we've made the following changes: *Published: 12/20/19* -We've been working hard to fix bugs and add useful features. Here's what's new in this release: +We been working hard to fix bugs and add useful features. Here's what's new in this release: - Support for Japanese and Chinese input on hardware keyboards. - The PC list view now shows the friendly name of the associated user account, if one exists. @@ -454,7 +464,7 @@ Here's what new in this release: *Published: 12/13/19* -In this release, we've made the following changes: +In this release, we made the following changes: - Support for the Azure Virtual Desktop service. - A new Connection Center UI. @@ -474,7 +484,7 @@ In this release, we've made the following changes: *Published: 06/20/2018* -In this release, we've made the following changes: +In this release, we made the following changes: - Bug fixes and performance improvements. @@ -482,6 +492,6 @@ In this release, we've made the following changes: *Published: 03/28/2018* -In this release, we've made the following changes: +In this release, we made the following changes: - Updates to address CredSSP encryption oracle remediation described in CVE-2018-0886. diff --git a/articles/virtual-desktop/users/connect-ios-ipados.md b/articles/virtual-desktop/users/connect-ios-ipados.md index 3c1331a1b167f..ce47a708f26ef 100644 --- a/articles/virtual-desktop/users/connect-ios-ipados.md +++ b/articles/virtual-desktop/users/connect-ios-ipados.md @@ -3,7 +3,7 @@ title: Connect to Azure Virtual Desktop with the Remote Desktop client for iOS a description: Learn how to connect to Azure Virtual Desktop using the Remote Desktop client for iOS and iPadOS. author: dknappettmsft ms.topic: how-to -ms.date: 03/13/2023 +ms.date: 03/19/2024 ms.author: daknappe --- @@ -21,7 +21,7 @@ Before you can access your resources, you'll need to meet the following prerequi - Internet access. -- An iPhone running iOS 15 or later or an iPad running iPadOS 15 or later. +- An iPhone running iOS 16 or later or an iPad running iPadOS 16 or later. - Download and install the Remote Desktop client from the [App Store](https://apps.apple.com/app/microsoft-remote-desktop/id714464092). diff --git a/articles/virtual-desktop/whats-new-client-ios-ipados.md b/articles/virtual-desktop/whats-new-client-ios-ipados.md index d2e5bdc0c1d34..5c425e0a59a59 100644 --- a/articles/virtual-desktop/whats-new-client-ios-ipados.md +++ b/articles/virtual-desktop/whats-new-client-ios-ipados.md @@ -4,11 +4,11 @@ description: Learn about recent changes to the Remote Desktop client for iOS and ms.topic: release-notes author: heidilohr ms.author: helohr -ms.date: 01/19/2024 +ms.date: 03/19/2024 --- # What's new in the Remote Desktop client for iOS and iPadOS -In this article you'll learn about the latest updates for the Remote Desktop client for iOS and iPadOS. To learn more about using the Remote Desktop client for iOS and iPadOS with Azure Virtual Desktop, see [Connect to Azure Virtual Desktop with the Remote Desktop client for iOS and iPadOS](users/connect-ios-ipados.md) and [Use features of the Remote Desktop client for iOS and iPadOS when connecting to Azure Virtual Desktop](users/client-features-ios-ipados.md). +This article describes the latest updates for the Remote Desktop client for iOS and iPadOS. To learn more about using the Remote Desktop client for iOS and iPadOS with Azure Virtual Desktop, see [Connect to Azure Virtual Desktop with the Remote Desktop client for iOS and iPadOS](users/connect-ios-ipados.md) and [Use features of the Remote Desktop client for iOS and iPadOS when connecting to Azure Virtual Desktop](users/client-features-ios-ipados.md). [!INCLUDE [include-whats-new-client-ios-ipados](includes/include-whats-new-client-ios-ipados.md)] diff --git a/articles/virtual-machines/linux/quick-create-cli.md b/articles/virtual-machines/linux/quick-create-cli.md index f67fe34e95072..0d236049a9bf9 100644 --- a/articles/virtual-machines/linux/quick-create-cli.md +++ b/articles/virtual-machines/linux/quick-create-cli.md @@ -1,23 +1,37 @@ --- title: 'Quickstart: Use the Azure CLI to create a Linux Virtual Machine' -description: Create a Linux virtual machine using the Azure CLI. +description: In this quickstart, you learn how to use the Azure CLI to create a Linux virtual machine author: chasecrum ms.service: virtual-machines ms.collection: linux ms.topic: quickstart ms.date: 02/28/2024 -ms.author: chasecrum +ms.author: jushiman ms.reviewer: jushiman ms.custom: mvc, devx-track-azurecli, mode-api, innovation-engine, linux-related-content --- -# Create a Linux virtual machine on Azure +# Quickstart: Create a Linux virtual machine with the Azure CLI on Azure + +**Applies to:** :heavy_check_mark: Linux VMs [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/?Microsoft_Azure_CloudNative_clientoptimizations=false&feature.canmodifyextensions=true#view/Microsoft_Azure_CloudNative/SubscriptionSelectionPage.ReactView/tutorialKey/CreateLinuxVMAndSSH) +This quickstart shows you how to use the Azure CLI to deploy a Linux virtual machine (VM) in Azure. The Azure CLI is used to create and manage Azure resources via either the command line or scripts. + +If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. + +## Launch Azure Cloud Shell + +The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account. + +To open the Cloud Shell, just select **Try it** from the upper right corner of a code block. You can also open Cloud Shell in a separate browser tab by going to [https://shell.azure.com/bash](https://shell.azure.com/bash). Select **Copy** to copy the blocks of code, paste it into the Cloud Shell, and select **Enter** to run it. + +If you prefer to install and use the CLI locally, this quickstart requires Azure CLI version 2.0.30 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI]( /cli/azure/install-azure-cli). + ## Define environment variables -The First step is to define the environment variables. +The first step is to define the environment variables. Environment variables are commonly used in Linux to centralize configuration data to improve consistency and maintainability of the system. Create the following environment variables to specify the names of resources that you create later in this tutorial: ```bash export RANDOM_ID="$(openssl rand -hex 3)" @@ -30,11 +44,11 @@ export MY_VM_IMAGE="Canonical:0001-com-ubuntu-minimal-jammy:minimal-22_04-lts-ge ## Log in to Azure using the CLI -In order to run commands in Azure using the CLI, you need to log in first. This is done using the `az login` command. +In order to run commands in Azure using the CLI, you need to log in first. Log in using the `az login` command. ## Create a resource group -A resource group is a container for related resources. All resources must be placed in a resource group. The following command creates a resource group with the previously defined $MY_RESOURCE_GROUP_NAME and $REGION parameters. +A resource group is a container for related resources. All resources must be placed in a resource group. The [az group create](/cli/azure/group) command creates a resource group with the previously defined $MY_RESOURCE_GROUP_NAME and $REGION parameters. ```bash az group create --name $MY_RESOURCE_GROUP_NAME --location $REGION @@ -59,7 +73,9 @@ Results: ## Create the virtual machine -To create a VM in this resource group, we need to use the `vm create` command. In the following code example, we provided the `--generate-ssh-keys` flag, which causes the CLI to look for an available ssh key in `~/.ssh`. If one is found, it is used. If not, one is generated and stored in `~/.ssh`. We also provide the `--public-ip-sku Standard` flag to ensure that the machine is accessible via a public IP address. Finally, we deploy the latest `Ubuntu 22.04` image. +To create a VM in this resource group, use the `vm create` command. + +The following example creates a VM and adds a user account. The `--generate-ssh-keys` parameter causes the CLI to look for an available ssh key in `~/.ssh`. If one is found, that key is used. If not, one is generated and stored in `~/.ssh`. The `--public-ip-sku Standard` parameter ensures that the machine is accessible via a public IP address. Finally, we deploy the latest `Ubuntu 22.04` image. All other values are configured using environment variables. @@ -74,7 +90,7 @@ az vm create \ --public-ip-sku Standard ``` -Results: +It takes a few minutes to create the VM and supporting resources. The following example output shows the VM create operation was successful. ```json @@ -105,7 +121,7 @@ az vm extension set \ ## Store IP address of VM in order to SSH -Run the following command to store the IP Address of the VM as an environment variable: +Run the following command to store the IP address of the VM as an environment variable: ```bash export IP_ADDRESS=$(az vm show --show-details --resource-group $MY_RESOURCE_GROUP_NAME --name $MY_VM_NAME --query publicIps --output tsv) diff --git a/articles/virtual-machines/share-using-app-registration.md b/articles/virtual-machines/share-using-app-registration.md index 2be03e6ba9566..620a541b69752 100644 --- a/articles/virtual-machines/share-using-app-registration.md +++ b/articles/virtual-machines/share-using-app-registration.md @@ -46,7 +46,7 @@ az account get-access-token Sign in the service principal for tenant 2 using the appID, the app key, and the ID of tenant 2: ```azurecli-interactive -az login --service-principal -u $appid -p secret --tenant $tenant2 +az login --service-principal -u $appid -p $secret --tenant $tenant2 az account get-access-token ``` diff --git a/articles/vpn-gateway/vpn-gateway-download-vpndevicescript.md b/articles/vpn-gateway/vpn-gateway-download-vpndevicescript.md index 0d3934f3f4455..006bbaa76bce6 100644 --- a/articles/vpn-gateway/vpn-gateway-download-vpndevicescript.md +++ b/articles/vpn-gateway/vpn-gateway-download-vpndevicescript.md @@ -5,7 +5,7 @@ titleSuffix: Azure VPN Gateway author: cherylmc ms.service: vpn-gateway ms.topic: how-to -ms.date: 03/13/2024 +ms.date: 03/18/2024 ms.author: cherylmc ms.custom: devx-track-azurepowershell @@ -18,18 +18,20 @@ This article walks you through downloading VPN device configuration scripts for ## About VPN device configuration scripts -A cross-premises VPN connection consists of an Azure VPN gateway, an on-premises VPN device, and an IPsec S2S VPN tunnel connecting the two. The typical work flow includes the following steps: +A cross-premises VPN connection consists of an Azure VPN gateway, an on-premises VPN device, and an IPsec S2S VPN tunnel connecting the two. + +The typical workflow includes the following steps: 1. Create and configure an Azure VPN gateway (virtual network gateway). 1. Create and configure an Azure local network gateway that represents your on-premises network and VPN device. 1. Create and configure an Azure VPN connection between the Azure VPN gateway and the local network gateway. 1. Configure the on-premises VPN device represented by the local network gateway to establish the actual S2S VPN tunnel with the Azure VPN gateway. -You can complete steps 1 through 3 using the Azure [portal](./tutorial-site-to-site-portal.md), [PowerShell](vpn-gateway-create-site-to-site-rm-powershell.md), or [CLI](vpn-gateway-howto-site-to-site-resource-manager-cli.md). The last step involves configuring the on-premises VPN devices outside of Azure. This feature allows you to download a configuration script for your VPN device with the corresponding values of your Azure VPN gateway, virtual network, and on-premises network address prefixes, and VPN connection properties, etc. already filled in. You can use the script as a starting point, or apply the script directly to your on-premises VPN devices via the configuration console. +You can complete steps 1 through 3 in the workflow using the Azure [portal](./tutorial-site-to-site-portal.md), [PowerShell](vpn-gateway-create-site-to-site-rm-powershell.md), or [CLI](vpn-gateway-howto-site-to-site-resource-manager-cli.md). Step 4 involves configuring the on-premises VPN devices outside of Azure. The steps in this article help you download a configuration script for your VPN device with the corresponding values of your Azure VPN gateway, virtual network, on-premises network address prefixes, and VPN connection properties already filled in. You can use the script as a starting point, or apply the script directly to your on-premises VPN devices via the configuration console. The syntax for each VPN device configuration script is different and heavily dependent on the models and firmware versions. Pay special attention to your device model and version information against the available templates. -* Some parameter values must be unique on the device, and can't be determined without accessing the device. The Azure-generated configuration scripts prefill these values, but you need to ensure the provided values are valid on your device. For examples: +* Some parameter values must be unique on the device, and can't be determined without accessing the device. The Azure-generated configuration scripts prefill these values, but you need to ensure the provided values are valid on your device. For example: * Interface numbers * Access control list numbers @@ -40,7 +42,7 @@ The syntax for each VPN device configuration script is different and heavily dep ## Download the configuration script - Azure portal -Create an Azure VPN gateway, local network gateway, and a connection resource connecting the two. The following page guides you through the steps: +Create an Azure VPN gateway, local network gateway, and a connection resource connecting the two. The following article guides you through the steps: * [Create a Site-to-Site connection in the Azure portal](./tutorial-site-to-site-portal.md) diff --git a/includes/policy/standards/asb/controls/air-5.md b/includes/policy/standards/asb/controls/air-5.md index e6528d7bcc01f..8aeb88ec4dca1 100644 --- a/includes/policy/standards/asb/controls/air-5.md +++ b/includes/policy/standards/asb/controls/air-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/am-2.md b/includes/policy/standards/asb/controls/am-2.md index 31877f3683594..ade5f14936592 100644 --- a/includes/policy/standards/asb/controls/am-2.md +++ b/includes/policy/standards/asb/controls/am-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/am-3.md b/includes/policy/standards/asb/controls/am-3.md index 95bc89486313c..ad10d7aada6e2 100644 --- a/includes/policy/standards/asb/controls/am-3.md +++ b/includes/policy/standards/asb/controls/am-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/am-5.md b/includes/policy/standards/asb/controls/am-5.md index e435baabf6378..a2ee3bc33e114 100644 --- a/includes/policy/standards/asb/controls/am-5.md +++ b/includes/policy/standards/asb/controls/am-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/br-1.md b/includes/policy/standards/asb/controls/br-1.md index 6f5543042721f..4c9bfb06acc9b 100644 --- a/includes/policy/standards/asb/controls/br-1.md +++ b/includes/policy/standards/asb/controls/br-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/br-2.md b/includes/policy/standards/asb/controls/br-2.md index 6f5543042721f..4c9bfb06acc9b 100644 --- a/includes/policy/standards/asb/controls/br-2.md +++ b/includes/policy/standards/asb/controls/br-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/dp-1.md b/includes/policy/standards/asb/controls/dp-1.md index 298116ac445b7..eaa6d1cfed0c5 100644 --- a/includes/policy/standards/asb/controls/dp-1.md +++ b/includes/policy/standards/asb/controls/dp-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/dp-2.md b/includes/policy/standards/asb/controls/dp-2.md index 6b34d451695c0..ba1e3a4a43f03 100644 --- a/includes/policy/standards/asb/controls/dp-2.md +++ b/includes/policy/standards/asb/controls/dp-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/dp-3.md b/includes/policy/standards/asb/controls/dp-3.md index 8db67e08a9795..80f09aa8a1692 100644 --- a/includes/policy/standards/asb/controls/dp-3.md +++ b/includes/policy/standards/asb/controls/dp-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/dp-4.md b/includes/policy/standards/asb/controls/dp-4.md index f5db617f1f8af..2e09ba0c5cfd5 100644 --- a/includes/policy/standards/asb/controls/dp-4.md +++ b/includes/policy/standards/asb/controls/dp-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- @@ -12,7 +12,6 @@ ms.custom: generated |[\[Preview\]: Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca88aadc-6e2b-416c-9de2-5a0f01d1693f) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. Use Azure Disk Encryption or EncryptionAtHost to encrypt all this data.Visit [https://aka.ms/diskencryptioncomparison](https://aka.ms/diskencryptioncomparison) to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |AuditIfNotExists, Disabled |[1.2.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/LinuxVMEncryption_AINE.json) | |[\[Preview\]: Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3dc5edcd-002d-444c-b216-e123bbfa37c0) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. Use Azure Disk Encryption or EncryptionAtHost to encrypt all this data.Visit [https://aka.ms/diskencryptioncomparison](https://aka.ms/diskencryptioncomparison) to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |AuditIfNotExists, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/WindowsVMEncryption_AINE.json) | |[A Microsoft Entra administrator should be provisioned for MySQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F146412e9-005c-472b-9e48-c87b72ac229e) |Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_AuditServerADAdmins_Audit.json) | -|[A Microsoft Entra administrator should be provisioned for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4dec045-250a-48c2-b5cc-e0c4eec8b5b4) |Audit provisioning of a Microsoft Entra administrator for your PostgreSQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_AuditServerADAdmins_Audit.json) | |[Automation account variables should be encrypted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3657f5a0-770e-44a3-b44e-9431ba1e9735) |It is important to enable encryption of Automation account variable assets when storing sensitive data |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/AuditUnencryptedVars_Audit.json) | |[Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F40e85574-ef33-47e8-a854-7a65c7500560) |Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure MySQL flexible server can exclusively be accessed by Microsoft Entra identities. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_FlexibleServers_ADOnlyEnabled_Audit.json) | |[Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F617c02be-7f02-4efd-8836-3180d47b6c68) |Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/AuditClusterProtectionLevel_Audit.json) | diff --git a/includes/policy/standards/asb/controls/dp-5.md b/includes/policy/standards/asb/controls/dp-5.md index 7958e36d6038c..def11eeb5e1bd 100644 --- a/includes/policy/standards/asb/controls/dp-5.md +++ b/includes/policy/standards/asb/controls/dp-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/dp-6.md b/includes/policy/standards/asb/controls/dp-6.md index 0277b7b1fbd21..7b2c8b9bd58e5 100644 --- a/includes/policy/standards/asb/controls/dp-6.md +++ b/includes/policy/standards/asb/controls/dp-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/dp-7.md b/includes/policy/standards/asb/controls/dp-7.md index 9742cbf3278af..556cc0ff7c4d9 100644 --- a/includes/policy/standards/asb/controls/dp-7.md +++ b/includes/policy/standards/asb/controls/dp-7.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/dp-8.md b/includes/policy/standards/asb/controls/dp-8.md index d5389a2e7ebec..72b1a8fc4bbe1 100644 --- a/includes/policy/standards/asb/controls/dp-8.md +++ b/includes/policy/standards/asb/controls/dp-8.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/ds-6.md b/includes/policy/standards/asb/controls/ds-6.md index 6a531358a5f13..19bb3c7413d33 100644 --- a/includes/policy/standards/asb/controls/ds-6.md +++ b/includes/policy/standards/asb/controls/ds-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- @@ -10,7 +10,5 @@ ms.custom: generated |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| |[Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F090c7b07-b4ed-4561-ad20-e9075f3ccaff) |Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_AzureContainerRegistryVulnerabilityAssessment_Audit.json) | -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |[Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17f4b1cc-c55c-4d94-b1f9-2978f6ac2957) |Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_K8sRuningImagesVulnerabilityAssessmentBasedOnMDVM_Audit.json) | -|[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | |[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) | diff --git a/includes/policy/standards/asb/controls/es-1.md b/includes/policy/standards/asb/controls/es-1.md index d2f631401d4a2..e582edfd0520c 100644 --- a/includes/policy/standards/asb/controls/es-1.md +++ b/includes/policy/standards/asb/controls/es-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/es-2.md b/includes/policy/standards/asb/controls/es-2.md index e3f7eb0fb3ed8..c7fe2a907174d 100644 --- a/includes/policy/standards/asb/controls/es-2.md +++ b/includes/policy/standards/asb/controls/es-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/es-3.md b/includes/policy/standards/asb/controls/es-3.md index a1a62d03e5385..98cb38a804475 100644 --- a/includes/policy/standards/asb/controls/es-3.md +++ b/includes/policy/standards/asb/controls/es-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/im-1.md b/includes/policy/standards/asb/controls/im-1.md index 81315e4c86ded..852cd1f469836 100644 --- a/includes/policy/standards/asb/controls/im-1.md +++ b/includes/policy/standards/asb/controls/im-1.md @@ -2,16 +2,17 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| +|[A Microsoft Entra administrator should be provisioned for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4dec045-250a-48c2-b5cc-e0c4eec8b5b4) |Audit provisioning of a Microsoft Entra administrator for your PostgreSQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_AuditServerADAdmins_Audit.json) | |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) | +|[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) | |[Azure SQL Database should have Microsoft Entra-only authentication enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb3a22bc9-66de-45fb-98fa-00f5df42f41a) |Require Azure SQL logical servers to use Microsoft Entra-only authentication. This policy doesn't block servers from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: [https://aka.ms/adonlycreate](https://aka.ms/adonlycreate). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_ADOnlyEnabled_DisableADAuth_Deny.json) | |[Azure SQL Database should have Microsoft Entra-only authentication enabled during creation](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabda6d70-9778-44e7-84a8-06713e6db027) |Require Azure SQL logical servers to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: [https://aka.ms/adonlycreate](https://aka.ms/adonlycreate). |Audit, Deny, Disabled |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_ADOnlyEnabled_Deny.json) | |[Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0c28c3fb-c244-42d5-a9bf-f35f2999577b) |Require Azure SQL Managed Instance to use Microsoft Entra-only authentication. This policy doesn't block Azure SQL Managed instances from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: [https://aka.ms/adonlycreate](https://aka.ms/adonlycreate). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_ADOnlyEnabled_DisableADAuth_Deny.json) | diff --git a/includes/policy/standards/asb/controls/im-3.md b/includes/policy/standards/asb/controls/im-3.md index 15dac9598a997..592245bbdb9f7 100644 --- a/includes/policy/standards/asb/controls/im-3.md +++ b/includes/policy/standards/asb/controls/im-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/im-4.md b/includes/policy/standards/asb/controls/im-4.md index 294489c50ec52..aeee834daab5d 100644 --- a/includes/policy/standards/asb/controls/im-4.md +++ b/includes/policy/standards/asb/controls/im-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/im-6.md b/includes/policy/standards/asb/controls/im-6.md index 87bd7465c6015..61465734f488e 100644 --- a/includes/policy/standards/asb/controls/im-6.md +++ b/includes/policy/standards/asb/controls/im-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/im-8.md b/includes/policy/standards/asb/controls/im-8.md index 698623e478be4..ff2be0bcf1ff7 100644 --- a/includes/policy/standards/asb/controls/im-8.md +++ b/includes/policy/standards/asb/controls/im-8.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/ir-2.md b/includes/policy/standards/asb/controls/ir-2.md index 6bf5e8d9f67b6..d0fe8131f556d 100644 --- a/includes/policy/standards/asb/controls/ir-2.md +++ b/includes/policy/standards/asb/controls/ir-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/ir-3.md b/includes/policy/standards/asb/controls/ir-3.md index e6528d7bcc01f..8aeb88ec4dca1 100644 --- a/includes/policy/standards/asb/controls/ir-3.md +++ b/includes/policy/standards/asb/controls/ir-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/ir-4.md b/includes/policy/standards/asb/controls/ir-4.md index d54328d739841..cd2a70b905305 100644 --- a/includes/policy/standards/asb/controls/ir-4.md +++ b/includes/policy/standards/asb/controls/ir-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/lt-1.md b/includes/policy/standards/asb/controls/lt-1.md index 350557466877b..7acd6f2ace95e 100644 --- a/includes/policy/standards/asb/controls/lt-1.md +++ b/includes/policy/standards/asb/controls/lt-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/lt-2.md b/includes/policy/standards/asb/controls/lt-2.md index d1e6e9591ac13..c051e07b9d209 100644 --- a/includes/policy/standards/asb/controls/lt-2.md +++ b/includes/policy/standards/asb/controls/lt-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/lt-3.md b/includes/policy/standards/asb/controls/lt-3.md index 0ee1005efbbf8..a60832f0b7e86 100644 --- a/includes/policy/standards/asb/controls/lt-3.md +++ b/includes/policy/standards/asb/controls/lt-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/lt-4.md b/includes/policy/standards/asb/controls/lt-4.md index b972aeb01a8eb..96e5ebd46a542 100644 --- a/includes/policy/standards/asb/controls/lt-4.md +++ b/includes/policy/standards/asb/controls/lt-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/lt-5.md b/includes/policy/standards/asb/controls/lt-5.md index d3b7ab824863f..d18f5ddfc5d51 100644 --- a/includes/policy/standards/asb/controls/lt-5.md +++ b/includes/policy/standards/asb/controls/lt-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/lt-6.md b/includes/policy/standards/asb/controls/lt-6.md index 7c7202d6f5636..00842837f1e02 100644 --- a/includes/policy/standards/asb/controls/lt-6.md +++ b/includes/policy/standards/asb/controls/lt-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/ns-1.md b/includes/policy/standards/asb/controls/ns-1.md index a6f1b0a361e83..7ec7476471369 100644 --- a/includes/policy/standards/asb/controls/ns-1.md +++ b/includes/policy/standards/asb/controls/ns-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/ns-2.md b/includes/policy/standards/asb/controls/ns-2.md index 50366c6201ff0..e03836de68ff1 100644 --- a/includes/policy/standards/asb/controls/ns-2.md +++ b/includes/policy/standards/asb/controls/ns-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- @@ -14,7 +14,7 @@ ms.custom: generated |[API Management should disable public network access to the service configuration endpoints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf73bd95-24da-4a4f-96b9-4e8b94b402bd) |To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/PublicEndpoint_AINE.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../../../articles/azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) | |[Azure Cosmos DB accounts should have firewall rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb) |Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json) | |[Azure Cosmos DB should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F797b37f7-06b8-444c-b1ad-fc62867f335a) |Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation](../../../../../articles/cosmos-db/how-to-configure-private-endpoints.md#blocking-public-network-access-during-account-creation). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateNetworkAccess_AuditDeny.json) | diff --git a/includes/policy/standards/asb/controls/ns-3.md b/includes/policy/standards/asb/controls/ns-3.md index 3a0c55c53c39e..94e140d839d63 100644 --- a/includes/policy/standards/asb/controls/ns-3.md +++ b/includes/policy/standards/asb/controls/ns-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/ns-5.md b/includes/policy/standards/asb/controls/ns-5.md index 95650eaf9515f..7d4a2fce22fee 100644 --- a/includes/policy/standards/asb/controls/ns-5.md +++ b/includes/policy/standards/asb/controls/ns-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/ns-6.md b/includes/policy/standards/asb/controls/ns-6.md index 2d2224072918b..fb0e3d34bef12 100644 --- a/includes/policy/standards/asb/controls/ns-6.md +++ b/includes/policy/standards/asb/controls/ns-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/ns-7.md b/includes/policy/standards/asb/controls/ns-7.md index ed33be2d1cf52..0f2fff59675d2 100644 --- a/includes/policy/standards/asb/controls/ns-7.md +++ b/includes/policy/standards/asb/controls/ns-7.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/ns-8.md b/includes/policy/standards/asb/controls/ns-8.md index 5660d0f96757c..58bb440c4bc8d 100644 --- a/includes/policy/standards/asb/controls/ns-8.md +++ b/includes/policy/standards/asb/controls/ns-8.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/pa-1.md b/includes/policy/standards/asb/controls/pa-1.md index 372e75c76a878..fdf1e3e79b9bb 100644 --- a/includes/policy/standards/asb/controls/pa-1.md +++ b/includes/policy/standards/asb/controls/pa-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/pa-2.md b/includes/policy/standards/asb/controls/pa-2.md index 413147413ae08..eb37ee5e60645 100644 --- a/includes/policy/standards/asb/controls/pa-2.md +++ b/includes/policy/standards/asb/controls/pa-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/pa-4.md b/includes/policy/standards/asb/controls/pa-4.md index c14408c656c70..605c889a22b6f 100644 --- a/includes/policy/standards/asb/controls/pa-4.md +++ b/includes/policy/standards/asb/controls/pa-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/pa-7.md b/includes/policy/standards/asb/controls/pa-7.md index 59ebbad3e0c0d..ed7039ebac9b6 100644 --- a/includes/policy/standards/asb/controls/pa-7.md +++ b/includes/policy/standards/asb/controls/pa-7.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/pv-2.md b/includes/policy/standards/asb/controls/pv-2.md index 69bccb008c2f9..bf33aa0223a1e 100644 --- a/includes/policy/standards/asb/controls/pv-2.md +++ b/includes/policy/standards/asb/controls/pv-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/pv-4.md b/includes/policy/standards/asb/controls/pv-4.md index 3f8a1310ff841..cfbb205addc20 100644 --- a/includes/policy/standards/asb/controls/pv-4.md +++ b/includes/policy/standards/asb/controls/pv-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/pv-5.md b/includes/policy/standards/asb/controls/pv-5.md index e9688799a2a02..72e6414289a22 100644 --- a/includes/policy/standards/asb/controls/pv-5.md +++ b/includes/policy/standards/asb/controls/pv-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/controls/pv-6.md b/includes/policy/standards/asb/controls/pv-6.md index 10b7cf3c5d459..347e47e436100 100644 --- a/includes/policy/standards/asb/controls/pv-6.md +++ b/includes/policy/standards/asb/controls/pv-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- @@ -11,10 +11,8 @@ ms.custom: generated |---|---|---|---| |[\[Preview\]: System updates should be installed on your machines (powered by Update Center)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff85bf3e0-d513-442e-89c3-1784ad63382b) |Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. |AuditIfNotExists, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdatesV2_Audit.json) | |[Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F090c7b07-b4ed-4561-ad20-e9075f3ccaff) |Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_AzureContainerRegistryVulnerabilityAssessment_Audit.json) | -|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |[Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17f4b1cc-c55c-4d94-b1f9-2978f6ac2957) |Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_K8sRuningImagesVulnerabilityAssessmentBasedOnMDVM_Audit.json) | -|[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | -|[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |Audit, Deny, Disabled |[3.6.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) | +|[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |Audit, Deny, Disabled |[3.7.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) | |[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | |[SQL servers on machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6ba6d016-e7c3-4842-b8f2-4992ebc0d72d) |SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSQLVulnerabilityAssessment_Audit.json) | |[System updates on virtual machine scale sets should be installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3f317a7-a95c-4547-b7e7-11017ebdf2fe) |Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json) | diff --git a/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-am-2.md b/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-am-2.md index 77fa330c88cec..a19c08d38aac9 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-am-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-am-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-am-3.md b/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-am-3.md index 95bc89486313c..ad10d7aada6e2 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-am-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-am-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-dp-3.md b/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-dp-3.md index 2e0dc4f699d2f..872af4dd59703 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-dp-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-dp-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-dp-6.md b/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-dp-6.md index 5823259cb1a69..ffbeb9b95802f 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-dp-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-dp-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-im-4.md b/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-im-4.md index 93f90e7f00628..009c97f37b1c9 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-im-4.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-im-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-im-8.md b/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-im-8.md index 20cae2e13b921..801648201c065 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-im-8.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-im-8.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-ns-2.md b/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-ns-2.md index 61c310ef515b5..c0e4fcfcd1120 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-ns-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-ns-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-pa-7.md b/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-pa-7.md index 9a03d46344c77..d4e6aacc9ddf2 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-pa-7.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-pa-7.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-pv-2.md b/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-pv-2.md index 320f345587ff7..21b605753c20c 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-pv-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.apimanagement-pv-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.app-ns-2.md b/includes/policy/standards/asb/rp-controls/microsoft.app-ns-2.md index 5cb5caab6b4ef..4f3d16e7625b6 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.app-ns-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.app-ns-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.appconfiguration-ns-2.md b/includes/policy/standards/asb/rp-controls/microsoft.appconfiguration-ns-2.md index 5cb5caab6b4ef..4f3d16e7625b6 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.appconfiguration-ns-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.appconfiguration-ns-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.appplatform-ns-2.md b/includes/policy/standards/asb/rp-controls/microsoft.appplatform-ns-2.md index 3cee0a70529e9..685f319e4e73a 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.appplatform-ns-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.appplatform-ns-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.authorization-air-5.md b/includes/policy/standards/asb/rp-controls/microsoft.authorization-air-5.md index eb7e93b407d1c..dc76b4e9740f6 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.authorization-air-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.authorization-air-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.authorization-ir-3.md b/includes/policy/standards/asb/rp-controls/microsoft.authorization-ir-3.md index eb7e93b407d1c..dc76b4e9740f6 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.authorization-ir-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.authorization-ir-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.authorization-lt-1.md b/includes/policy/standards/asb/rp-controls/microsoft.authorization-lt-1.md index eb7e93b407d1c..dc76b4e9740f6 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.authorization-lt-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.authorization-lt-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.authorization-lt-2.md b/includes/policy/standards/asb/rp-controls/microsoft.authorization-lt-2.md index eb7e93b407d1c..dc76b4e9740f6 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.authorization-lt-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.authorization-lt-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.authorization-pa-7.md b/includes/policy/standards/asb/rp-controls/microsoft.authorization-pa-7.md index fc6b2b4626724..8da9631286e94 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.authorization-pa-7.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.authorization-pa-7.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.automation-dp-4.md b/includes/policy/standards/asb/rp-controls/microsoft.automation-dp-4.md index f0da390888ff1..40379dc30734e 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.automation-dp-4.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.automation-dp-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.azurearcdata-air-5.md b/includes/policy/standards/asb/rp-controls/microsoft.azurearcdata-air-5.md index 60917aa49bb03..adab6ac5ac148 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.azurearcdata-air-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.azurearcdata-air-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.azurearcdata-ir-3.md b/includes/policy/standards/asb/rp-controls/microsoft.azurearcdata-ir-3.md index 60917aa49bb03..adab6ac5ac148 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.azurearcdata-ir-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.azurearcdata-ir-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.azurearcdata-lt-1.md b/includes/policy/standards/asb/rp-controls/microsoft.azurearcdata-lt-1.md index 60917aa49bb03..adab6ac5ac148 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.azurearcdata-lt-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.azurearcdata-lt-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.azurearcdata-lt-2.md b/includes/policy/standards/asb/rp-controls/microsoft.azurearcdata-lt-2.md index 60917aa49bb03..adab6ac5ac148 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.azurearcdata-lt-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.azurearcdata-lt-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.azurestackhci-dp-3.md b/includes/policy/standards/asb/rp-controls/microsoft.azurestackhci-dp-3.md index 357c9e1158191..9491b95476a64 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.azurestackhci-dp-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.azurestackhci-dp-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.azurestackhci-dp-5.md b/includes/policy/standards/asb/rp-controls/microsoft.azurestackhci-dp-5.md index e93f3dc0e9e3b..037739055a670 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.azurestackhci-dp-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.azurestackhci-dp-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.azurestackhci-pv-4.md b/includes/policy/standards/asb/rp-controls/microsoft.azurestackhci-pv-4.md index d58811e9fa86d..f7f9c5d612eb2 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.azurestackhci-pv-4.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.azurestackhci-pv-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.batch-lt-3.md b/includes/policy/standards/asb/rp-controls/microsoft.batch-lt-3.md index b8abc99328462..ed911d681e5a7 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.batch-lt-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.batch-lt-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.cache-dp-3.md b/includes/policy/standards/asb/rp-controls/microsoft.cache-dp-3.md index 9d22fce40226e..f0a06a3c4a7a9 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.cache-dp-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.cache-dp-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.cache-ns-2.md b/includes/policy/standards/asb/rp-controls/microsoft.cache-ns-2.md index cb4860b74c181..91aacb8424c5b 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.cache-ns-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.cache-ns-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-am-2.md b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-am-2.md index a77501f975f00..a0e61dffa8871 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-am-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-am-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-am-5.md b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-am-5.md index a2a59eff94f46..4ff09bcfe6382 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-am-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-am-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-dp-4.md b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-dp-4.md index 3754996c4aa75..4020125685b74 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-dp-4.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-dp-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-ds-6.md b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-ds-6.md index 24374193bb7e0..ae0ba45e4c57d 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-ds-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-ds-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-es-2.md b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-es-2.md index a1a62d03e5385..98cb38a804475 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-es-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-es-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-es-3.md b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-es-3.md index a1a62d03e5385..98cb38a804475 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-es-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-es-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-im-8.md b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-im-8.md index 2b4a5b32d3884..e0c00bc7089fe 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-im-8.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-im-8.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-lt-5.md b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-lt-5.md index 527e5c17d2cef..88235d607df4d 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-lt-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-lt-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-ns-1.md b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-ns-1.md index 836891cea62f9..c355ae42e2cfb 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-ns-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-ns-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-ns-3.md b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-ns-3.md index 05f4bffd849d5..98f2a7fe57b17 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-ns-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-ns-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-pv-5.md b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-pv-5.md index fc206b3133eae..2381bc1f1525d 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-pv-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-pv-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-pv-6.md b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-pv-6.md index 9bb9f2206d214..6bdb4c1e8ed09 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-pv-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.classiccompute-pv-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.classicstorage-am-2.md b/includes/policy/standards/asb/rp-controls/microsoft.classicstorage-am-2.md index 243f195877b14..7134372acea8f 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.classicstorage-am-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.classicstorage-am-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.cognitiveservices-dp-5.md b/includes/policy/standards/asb/rp-controls/microsoft.cognitiveservices-dp-5.md index 3b5ffeec725f3..ae3c8a4d740a0 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.cognitiveservices-dp-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.cognitiveservices-dp-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.cognitiveservices-im-1.md b/includes/policy/standards/asb/rp-controls/microsoft.cognitiveservices-im-1.md index b29064f4ff0cc..04d7be039bac7 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.cognitiveservices-im-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.cognitiveservices-im-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.cognitiveservices-ns-2.md b/includes/policy/standards/asb/rp-controls/microsoft.cognitiveservices-ns-2.md index 228dbcd2a1d93..b1077f7e8dd64 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.cognitiveservices-ns-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.cognitiveservices-ns-2.md @@ -2,11 +2,11 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-am-2.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-am-2.md index a77501f975f00..a0e61dffa8871 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-am-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-am-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-am-5.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-am-5.md index a2a59eff94f46..4ff09bcfe6382 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-am-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-am-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-br-1.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-br-1.md index 44a56501e104e..9e7e31637ff76 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-br-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-br-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-br-2.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-br-2.md index 44a56501e104e..9e7e31637ff76 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-br-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-br-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-dp-3.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-dp-3.md index 09d0087566b6e..e5bfc56c2b901 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-dp-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-dp-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-dp-4.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-dp-4.md index ff9fcd4753591..67ef501d67059 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-dp-4.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-dp-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-ds-6.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-ds-6.md index 24374193bb7e0..ae0ba45e4c57d 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-ds-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-ds-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-es-2.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-es-2.md index a1a62d03e5385..98cb38a804475 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-es-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-es-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-es-3.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-es-3.md index a1a62d03e5385..98cb38a804475 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-es-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-es-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-im-3.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-im-3.md index eabb65ab40119..63d1e32993658 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-im-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-im-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-im-6.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-im-6.md index 7962c54b5ec47..6865e3d8df9e5 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-im-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-im-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-im-8.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-im-8.md index 2b4a5b32d3884..e0c00bc7089fe 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-im-8.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-im-8.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-lt-1.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-lt-1.md index 6805ea87e0795..d498a6c1bac09 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-lt-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-lt-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-lt-2.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-lt-2.md index 6805ea87e0795..d498a6c1bac09 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-lt-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-lt-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-lt-4.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-lt-4.md index f61b162608833..0afe864ab5923 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-lt-4.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-lt-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-lt-5.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-lt-5.md index 527e5c17d2cef..88235d607df4d 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-lt-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-lt-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-ns-1.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-ns-1.md index ed33be2d1cf52..0f2fff59675d2 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-ns-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-ns-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-ns-3.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-ns-3.md index 05f4bffd849d5..98f2a7fe57b17 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-ns-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-ns-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-ns-7.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-ns-7.md index ed33be2d1cf52..0f2fff59675d2 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-ns-7.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-ns-7.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-pa-2.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-pa-2.md index 413147413ae08..eb37ee5e60645 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-pa-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-pa-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-pv-4.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-pv-4.md index 18d5def70ca53..de7d2c7b46a8b 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-pv-4.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-pv-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-pv-5.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-pv-5.md index fc206b3133eae..2381bc1f1525d 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-pv-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-pv-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.compute-pv-6.md b/includes/policy/standards/asb/rp-controls/microsoft.compute-pv-6.md index 532c5e05ce914..e469dc30841f6 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.compute-pv-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.compute-pv-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-dp-3.md b/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-dp-3.md index 09d0087566b6e..e5bfc56c2b901 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-dp-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-dp-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-es-2.md b/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-es-2.md index 6805ea87e0795..d498a6c1bac09 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-es-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-es-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-im-6.md b/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-im-6.md index 7962c54b5ec47..6865e3d8df9e5 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-im-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-im-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-lt-1.md b/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-lt-1.md index 6805ea87e0795..d498a6c1bac09 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-lt-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-lt-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-lt-2.md b/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-lt-2.md index 6805ea87e0795..d498a6c1bac09 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-lt-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-lt-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-pv-4.md b/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-pv-4.md index 1ef7e83d6c6f8..e771e0a0b0ed0 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-pv-4.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.connectedvmwarevsphere-pv-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.containerregistry-dp-5.md b/includes/policy/standards/asb/rp-controls/microsoft.containerregistry-dp-5.md index e15b97f9b32f0..62b0c0806a3fb 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.containerregistry-dp-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.containerregistry-dp-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.containerregistry-ds-6.md b/includes/policy/standards/asb/rp-controls/microsoft.containerregistry-ds-6.md index 9cd5ddcd38d94..46d72552f1c8d 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.containerregistry-ds-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.containerregistry-ds-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.containerregistry-ns-2.md b/includes/policy/standards/asb/rp-controls/microsoft.containerregistry-ns-2.md index 1292ef14cb754..464d89737dc8b 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.containerregistry-ns-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.containerregistry-ns-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.containerregistry-pv-6.md b/includes/policy/standards/asb/rp-controls/microsoft.containerregistry-pv-6.md index 9cd5ddcd38d94..46d72552f1c8d 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.containerregistry-pv-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.containerregistry-pv-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.containerservice-dp-3.md b/includes/policy/standards/asb/rp-controls/microsoft.containerservice-dp-3.md index ee8d6f775eca4..beb96e13cc222 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.containerservice-dp-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.containerservice-dp-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.containerservice-ds-6.md b/includes/policy/standards/asb/rp-controls/microsoft.containerservice-ds-6.md index 0735846b5c335..5341fa1806d97 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.containerservice-ds-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.containerservice-ds-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.containerservice-lt-1.md b/includes/policy/standards/asb/rp-controls/microsoft.containerservice-lt-1.md index 96efeaaaf35a4..a7896381ea57d 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.containerservice-lt-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.containerservice-lt-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.containerservice-lt-2.md b/includes/policy/standards/asb/rp-controls/microsoft.containerservice-lt-2.md index 96efeaaaf35a4..a7896381ea57d 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.containerservice-lt-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.containerservice-lt-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.containerservice-lt-3.md b/includes/policy/standards/asb/rp-controls/microsoft.containerservice-lt-3.md index 8e20ad5a26b29..1eece9bcf6d26 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.containerservice-lt-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.containerservice-lt-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.containerservice-ns-2.md b/includes/policy/standards/asb/rp-controls/microsoft.containerservice-ns-2.md index 46559b8b5046e..1e2cd3ceedae8 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.containerservice-ns-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.containerservice-ns-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.containerservice-pa-7.md b/includes/policy/standards/asb/rp-controls/microsoft.containerservice-pa-7.md index a54d43ba7fc1f..5638426a13fff 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.containerservice-pa-7.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.containerservice-pa-7.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.containerservice-pv-2.md b/includes/policy/standards/asb/rp-controls/microsoft.containerservice-pv-2.md index 6cd2673213505..1fe096917c594 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.containerservice-pv-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.containerservice-pv-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.containerservice-pv-6.md b/includes/policy/standards/asb/rp-controls/microsoft.containerservice-pv-6.md index 0735846b5c335..5341fa1806d97 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.containerservice-pv-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.containerservice-pv-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.databricks-lt-3.md b/includes/policy/standards/asb/rp-controls/microsoft.databricks-lt-3.md index e1b89a3d91175..39811ae1ae48e 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.databricks-lt-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.databricks-lt-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.databricks-ns-2.md b/includes/policy/standards/asb/rp-controls/microsoft.databricks-ns-2.md index a8fe1e0a1a7e9..87309bf60bb08 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.databricks-ns-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.databricks-ns-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.datalakeanalytics-lt-3.md b/includes/policy/standards/asb/rp-controls/microsoft.datalakeanalytics-lt-3.md index e7acdc9fb431d..347cd021ca2da 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.datalakeanalytics-lt-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.datalakeanalytics-lt-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.datalakestore-lt-3.md b/includes/policy/standards/asb/rp-controls/microsoft.datalakestore-lt-3.md index 8c7eb69c4ff20..50794efd14327 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.datalakestore-lt-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.datalakestore-lt-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.dbformariadb-br-1.md b/includes/policy/standards/asb/rp-controls/microsoft.dbformariadb-br-1.md index b835b42578732..29d97661543dc 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.dbformariadb-br-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.dbformariadb-br-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.dbformariadb-br-2.md b/includes/policy/standards/asb/rp-controls/microsoft.dbformariadb-br-2.md index b835b42578732..29d97661543dc 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.dbformariadb-br-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.dbformariadb-br-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.dbformariadb-ns-2.md b/includes/policy/standards/asb/rp-controls/microsoft.dbformariadb-ns-2.md index 474ce18985ee9..b5b70076e5d0d 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.dbformariadb-ns-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.dbformariadb-ns-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-br-1.md b/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-br-1.md index 61e6b428f9d9b..8f6549d983f9b 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-br-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-br-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-br-2.md b/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-br-2.md index 61e6b428f9d9b..8f6549d983f9b 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-br-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-br-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-dp-3.md b/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-dp-3.md index dae3b4c6d6975..4f355c47132dc 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-dp-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-dp-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-dp-4.md b/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-dp-4.md index 4ee8eb6fefa0a..ef507c570aa34 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-dp-4.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-dp-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-dp-5.md b/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-dp-5.md index 31ca82815a35e..f62bf3f077929 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-dp-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-dp-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-ns-2.md b/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-ns-2.md index 1e37093156650..3c4199d9727e1 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-ns-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.dbformysql-ns-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-air-5.md b/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-air-5.md index 121a4aed18da7..3262fa2bee341 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-air-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-air-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-br-1.md b/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-br-1.md index e217139710159..249843442d24a 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-br-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-br-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-br-2.md b/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-br-2.md index e217139710159..249843442d24a 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-br-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-br-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-dp-3.md b/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-dp-3.md index 7439c5a5691e5..fa9c85aa1e3f1 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-dp-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-dp-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-dp-5.md b/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-dp-5.md index c66008280595e..d7c120d478c83 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-dp-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-dp-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-dp-4.md b/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-im-1.md similarity index 97% rename from includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-dp-4.md rename to includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-im-1.md index 86ca57ddd8186..6a8b1ba521be9 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-dp-4.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-im-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-ir-3.md b/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-ir-3.md index 121a4aed18da7..3262fa2bee341 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-ir-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-ir-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-lt-1.md b/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-lt-1.md index 121a4aed18da7..3262fa2bee341 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-lt-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-lt-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-lt-2.md b/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-lt-2.md index 121a4aed18da7..3262fa2bee341 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-lt-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-lt-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-ns-2.md b/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-ns-2.md index 52e359e4afb72..12e7c554e09ae 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-ns-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.dbforpostgresql-ns-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.devices-lt-3.md b/includes/policy/standards/asb/rp-controls/microsoft.devices-lt-3.md index 992bf9eb53225..27fae53bed24f 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.devices-lt-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.devices-lt-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.documentdb-dp-5.md b/includes/policy/standards/asb/rp-controls/microsoft.documentdb-dp-5.md index d9720e647ac1e..0c44d9d43a499 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.documentdb-dp-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.documentdb-dp-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.documentdb-im-1.md b/includes/policy/standards/asb/rp-controls/microsoft.documentdb-im-1.md index 7e28a72e08ae7..9ec4f3a3c25ee 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.documentdb-im-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.documentdb-im-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.documentdb-ns-2.md b/includes/policy/standards/asb/rp-controls/microsoft.documentdb-ns-2.md index c2a6e8a4a61f0..0b9a8b0b552c8 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.documentdb-ns-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.documentdb-ns-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.eventgrid-ns-2.md b/includes/policy/standards/asb/rp-controls/microsoft.eventgrid-ns-2.md index 5941fdcab7452..1df46312c59f3 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.eventgrid-ns-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.eventgrid-ns-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.eventhub-lt-3.md b/includes/policy/standards/asb/rp-controls/microsoft.eventhub-lt-3.md index 0ef992a092cfe..b634a0c29d79c 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.eventhub-lt-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.eventhub-lt-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-dp-3.md b/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-dp-3.md index 09d0087566b6e..e5bfc56c2b901 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-dp-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-dp-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-dp-4.md b/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-dp-4.md index ff9fcd4753591..67ef501d67059 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-dp-4.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-dp-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-es-2.md b/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-es-2.md index 6805ea87e0795..d498a6c1bac09 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-es-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-es-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-im-6.md b/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-im-6.md index 7962c54b5ec47..6865e3d8df9e5 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-im-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-im-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-lt-1.md b/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-lt-1.md index 6805ea87e0795..d498a6c1bac09 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-lt-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-lt-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-lt-2.md b/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-lt-2.md index 6805ea87e0795..d498a6c1bac09 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-lt-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-lt-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-lt-5.md b/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-lt-5.md index ded3123e242c3..9c2b893864a95 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-lt-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-lt-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-pv-4.md b/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-pv-4.md index 1ef7e83d6c6f8..e771e0a0b0ed0 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-pv-4.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.guestconfiguration-pv-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-dp-3.md b/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-dp-3.md index 09d0087566b6e..e5bfc56c2b901 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-dp-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-dp-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-es-2.md b/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-es-2.md index a1a62d03e5385..98cb38a804475 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-es-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-es-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-es-3.md b/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-es-3.md index a1a62d03e5385..98cb38a804475 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-es-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-es-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-im-6.md b/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-im-6.md index 7962c54b5ec47..6865e3d8df9e5 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-im-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-im-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-lt-1.md b/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-lt-1.md index 6805ea87e0795..d498a6c1bac09 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-lt-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-lt-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-lt-2.md b/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-lt-2.md index 6805ea87e0795..d498a6c1bac09 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-lt-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-lt-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-lt-5.md b/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-lt-5.md index 190898941c1c4..d2a51a8fbf8fa 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-lt-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-lt-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-pv-4.md b/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-pv-4.md index 1ef7e83d6c6f8..e771e0a0b0ed0 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-pv-4.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-pv-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-pv-6.md b/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-pv-6.md index 532c5e05ce914..e469dc30841f6 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-pv-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.hybridcompute-pv-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.insights-dp-8.md b/includes/policy/standards/asb/rp-controls/microsoft.insights-dp-8.md index 091572d63878d..be864fde33fe4 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.insights-dp-8.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.insights-dp-8.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.insights-lt-3.md b/includes/policy/standards/asb/rp-controls/microsoft.insights-lt-3.md index 4ee24b3d4d1fd..ef8c89f03dedb 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.insights-lt-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.insights-lt-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.keyvault-dp-6.md b/includes/policy/standards/asb/rp-controls/microsoft.keyvault-dp-6.md index 0c20e9efa6efe..002783cc80d69 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.keyvault-dp-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.keyvault-dp-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.keyvault-dp-7.md b/includes/policy/standards/asb/rp-controls/microsoft.keyvault-dp-7.md index 9742cbf3278af..556cc0ff7c4d9 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.keyvault-dp-7.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.keyvault-dp-7.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.keyvault-dp-8.md b/includes/policy/standards/asb/rp-controls/microsoft.keyvault-dp-8.md index fad21bf791085..96eb065a7627a 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.keyvault-dp-8.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.keyvault-dp-8.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.keyvault-lt-3.md b/includes/policy/standards/asb/rp-controls/microsoft.keyvault-lt-3.md index 091572d63878d..be864fde33fe4 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.keyvault-lt-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.keyvault-lt-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.keyvault-ns-2.md b/includes/policy/standards/asb/rp-controls/microsoft.keyvault-ns-2.md index fad21bf791085..96eb065a7627a 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.keyvault-ns-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.keyvault-ns-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.keyvault.data-dp-6.md b/includes/policy/standards/asb/rp-controls/microsoft.keyvault.data-dp-6.md index 0c20e9efa6efe..002783cc80d69 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.keyvault.data-dp-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.keyvault.data-dp-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.keyvault.data-dp-7.md b/includes/policy/standards/asb/rp-controls/microsoft.keyvault.data-dp-7.md index 9742cbf3278af..556cc0ff7c4d9 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.keyvault.data-dp-7.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.keyvault.data-dp-7.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.kubernetes-dp-3.md b/includes/policy/standards/asb/rp-controls/microsoft.kubernetes-dp-3.md index ee8d6f775eca4..beb96e13cc222 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.kubernetes-dp-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.kubernetes-dp-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.kubernetes-lt-1.md b/includes/policy/standards/asb/rp-controls/microsoft.kubernetes-lt-1.md index c3c7fb1391792..025d5fbb2d86e 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.kubernetes-lt-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.kubernetes-lt-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.kubernetes-lt-2.md b/includes/policy/standards/asb/rp-controls/microsoft.kubernetes-lt-2.md index c3c7fb1391792..025d5fbb2d86e 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.kubernetes-lt-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.kubernetes-lt-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.kubernetes-pv-2.md b/includes/policy/standards/asb/rp-controls/microsoft.kubernetes-pv-2.md index 8f7d7b569edda..40c010d0cc637 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.kubernetes-pv-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.kubernetes-pv-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.kubernetesconfiguration-lt-1.md b/includes/policy/standards/asb/rp-controls/microsoft.kubernetesconfiguration-lt-1.md index c3c7fb1391792..025d5fbb2d86e 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.kubernetesconfiguration-lt-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.kubernetesconfiguration-lt-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.kubernetesconfiguration-lt-2.md b/includes/policy/standards/asb/rp-controls/microsoft.kubernetesconfiguration-lt-2.md index c3c7fb1391792..025d5fbb2d86e 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.kubernetesconfiguration-lt-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.kubernetesconfiguration-lt-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.kubernetesconfiguration-pv-2.md b/includes/policy/standards/asb/rp-controls/microsoft.kubernetesconfiguration-pv-2.md index 8f7d7b569edda..40c010d0cc637 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.kubernetesconfiguration-pv-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.kubernetesconfiguration-pv-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.logic-lt-3.md b/includes/policy/standards/asb/rp-controls/microsoft.logic-lt-3.md index 7e7bec8ef12f1..3f2ef8dac39af 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.logic-lt-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.logic-lt-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.machinelearningservices-dp-5.md b/includes/policy/standards/asb/rp-controls/microsoft.machinelearningservices-dp-5.md index ba9f9fd8c0648..b471c23aa7ef6 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.machinelearningservices-dp-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.machinelearningservices-dp-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.machinelearningservices-im-1.md b/includes/policy/standards/asb/rp-controls/microsoft.machinelearningservices-im-1.md index d8216d13046e5..e245d0911ebab 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.machinelearningservices-im-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.machinelearningservices-im-1.md @@ -2,11 +2,11 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| -|[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) | +|[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) | diff --git a/includes/policy/standards/asb/rp-controls/microsoft.machinelearningservices-lt-3.md b/includes/policy/standards/asb/rp-controls/microsoft.machinelearningservices-lt-3.md index cab8066eaf0ba..e95c7f429dd3e 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.machinelearningservices-lt-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.machinelearningservices-lt-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.machinelearningservices-ns-2.md b/includes/policy/standards/asb/rp-controls/microsoft.machinelearningservices-ns-2.md index cc4f407dc3683..774eb7a21c4b7 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.machinelearningservices-ns-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.machinelearningservices-ns-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.machinelearningservices-pv-2.md b/includes/policy/standards/asb/rp-controls/microsoft.machinelearningservices-pv-2.md index 6d4b0844b8fd4..f5549a4e3ab21 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.machinelearningservices-pv-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.machinelearningservices-pv-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.network-im-1.md b/includes/policy/standards/asb/rp-controls/microsoft.network-im-1.md index 8e27e50026e2e..eb33b94aa01dc 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.network-im-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.network-im-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.network-ir-4.md b/includes/policy/standards/asb/rp-controls/microsoft.network-ir-4.md index d54328d739841..cd2a70b905305 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.network-ir-4.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.network-ir-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.network-ns-1.md b/includes/policy/standards/asb/rp-controls/microsoft.network-ns-1.md index 2a8368708b4f3..9eecf36fbf2ee 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.network-ns-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.network-ns-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.network-ns-3.md b/includes/policy/standards/asb/rp-controls/microsoft.network-ns-3.md index 77aa7ade98047..1be07db433cb3 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.network-ns-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.network-ns-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.network-ns-5.md b/includes/policy/standards/asb/rp-controls/microsoft.network-ns-5.md index 95650eaf9515f..7d4a2fce22fee 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.network-ns-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.network-ns-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.network-ns-6.md b/includes/policy/standards/asb/rp-controls/microsoft.network-ns-6.md index 003152866468b..03a167c8a6522 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.network-ns-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.network-ns-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.recoveryservices-br-1.md b/includes/policy/standards/asb/rp-controls/microsoft.recoveryservices-br-1.md index 44a56501e104e..9e7e31637ff76 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.recoveryservices-br-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.recoveryservices-br-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.recoveryservices-br-2.md b/includes/policy/standards/asb/rp-controls/microsoft.recoveryservices-br-2.md index 44a56501e104e..9e7e31637ff76 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.recoveryservices-br-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.recoveryservices-br-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.resources-air-5.md b/includes/policy/standards/asb/rp-controls/microsoft.resources-air-5.md index 557ad4c1af44f..efc833476f48a 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.resources-air-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.resources-air-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.resources-dp-1.md b/includes/policy/standards/asb/rp-controls/microsoft.resources-dp-1.md index 298116ac445b7..eaa6d1cfed0c5 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.resources-dp-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.resources-dp-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.resources-dp-2.md b/includes/policy/standards/asb/rp-controls/microsoft.resources-dp-2.md index 0a7d6786eac67..d62a1ad9cf02f 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.resources-dp-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.resources-dp-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.resources-dp-8.md b/includes/policy/standards/asb/rp-controls/microsoft.resources-dp-8.md index 7364c5135db2e..f27ee3f46b224 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.resources-dp-8.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.resources-dp-8.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.resources-es-1.md b/includes/policy/standards/asb/rp-controls/microsoft.resources-es-1.md index d2f631401d4a2..e582edfd0520c 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.resources-es-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.resources-es-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.resources-im-6.md b/includes/policy/standards/asb/rp-controls/microsoft.resources-im-6.md index 223b61108a78f..800d9c586554d 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.resources-im-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.resources-im-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.resources-ir-2.md b/includes/policy/standards/asb/rp-controls/microsoft.resources-ir-2.md index 4937dc3b36345..8840c0f38235b 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.resources-ir-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.resources-ir-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.resources-ir-3.md b/includes/policy/standards/asb/rp-controls/microsoft.resources-ir-3.md index 557ad4c1af44f..efc833476f48a 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.resources-ir-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.resources-ir-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.resources-lt-1.md b/includes/policy/standards/asb/rp-controls/microsoft.resources-lt-1.md index 557ad4c1af44f..efc833476f48a 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.resources-lt-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.resources-lt-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.resources-lt-2.md b/includes/policy/standards/asb/rp-controls/microsoft.resources-lt-2.md index 557ad4c1af44f..efc833476f48a 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.resources-lt-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.resources-lt-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.resources-lt-5.md b/includes/policy/standards/asb/rp-controls/microsoft.resources-lt-5.md index cb897f81ad9c7..01615688990bb 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.resources-lt-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.resources-lt-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.resources-pa-1.md b/includes/policy/standards/asb/rp-controls/microsoft.resources-pa-1.md index b629a4b45a3f5..517ddc2b3bba0 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.resources-pa-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.resources-pa-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.resources-pa-4.md b/includes/policy/standards/asb/rp-controls/microsoft.resources-pa-4.md index 4345df76001cf..239dd86e93232 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.resources-pa-4.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.resources-pa-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.search-im-1.md b/includes/policy/standards/asb/rp-controls/microsoft.search-im-1.md index b29064f4ff0cc..04d7be039bac7 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.search-im-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.search-im-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.search-lt-3.md b/includes/policy/standards/asb/rp-controls/microsoft.search-lt-3.md index 9229e07378bd8..f1811410b9c4d 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.search-lt-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.search-lt-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.search-ns-2.md b/includes/policy/standards/asb/rp-controls/microsoft.search-ns-2.md index 228dbcd2a1d93..b1077f7e8dd64 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.search-ns-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.search-ns-2.md @@ -2,11 +2,11 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- |Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) | |---|---|---|---| -|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-air-5.md b/includes/policy/standards/asb/rp-controls/microsoft.security-air-5.md index 557ad4c1af44f..efc833476f48a 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-air-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-air-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-am-3.md b/includes/policy/standards/asb/rp-controls/microsoft.security-am-3.md index 95bc89486313c..ad10d7aada6e2 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-am-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-am-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-am-5.md b/includes/policy/standards/asb/rp-controls/microsoft.security-am-5.md index a2a59eff94f46..4ff09bcfe6382 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-am-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-am-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-dp-1.md b/includes/policy/standards/asb/rp-controls/microsoft.security-dp-1.md index 298116ac445b7..eaa6d1cfed0c5 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-dp-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-dp-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-dp-2.md b/includes/policy/standards/asb/rp-controls/microsoft.security-dp-2.md index 0a7d6786eac67..d62a1ad9cf02f 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-dp-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-dp-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-dp-4.md b/includes/policy/standards/asb/rp-controls/microsoft.security-dp-4.md index 3754996c4aa75..4020125685b74 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-dp-4.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-dp-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-dp-8.md b/includes/policy/standards/asb/rp-controls/microsoft.security-dp-8.md index 7364c5135db2e..f27ee3f46b224 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-dp-8.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-dp-8.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-ds-6.md b/includes/policy/standards/asb/rp-controls/microsoft.security-ds-6.md index 9cd5ddcd38d94..46d72552f1c8d 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-ds-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-ds-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-es-1.md b/includes/policy/standards/asb/rp-controls/microsoft.security-es-1.md index d2f631401d4a2..e582edfd0520c 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-es-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-es-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-es-2.md b/includes/policy/standards/asb/rp-controls/microsoft.security-es-2.md index a1a62d03e5385..98cb38a804475 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-es-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-es-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-es-3.md b/includes/policy/standards/asb/rp-controls/microsoft.security-es-3.md index a1a62d03e5385..98cb38a804475 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-es-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-es-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-im-4.md b/includes/policy/standards/asb/rp-controls/microsoft.security-im-4.md index 93f90e7f00628..009c97f37b1c9 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-im-4.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-im-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-im-6.md b/includes/policy/standards/asb/rp-controls/microsoft.security-im-6.md index 223b61108a78f..800d9c586554d 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-im-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-im-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-im-8.md b/includes/policy/standards/asb/rp-controls/microsoft.security-im-8.md index 2b4a5b32d3884..e0c00bc7089fe 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-im-8.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-im-8.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-ir-2.md b/includes/policy/standards/asb/rp-controls/microsoft.security-ir-2.md index 4937dc3b36345..8840c0f38235b 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-ir-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-ir-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-ir-3.md b/includes/policy/standards/asb/rp-controls/microsoft.security-ir-3.md index 557ad4c1af44f..efc833476f48a 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-ir-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-ir-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-lt-1.md b/includes/policy/standards/asb/rp-controls/microsoft.security-lt-1.md index 557ad4c1af44f..efc833476f48a 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-lt-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-lt-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-lt-2.md b/includes/policy/standards/asb/rp-controls/microsoft.security-lt-2.md index 557ad4c1af44f..efc833476f48a 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-lt-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-lt-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-lt-5.md b/includes/policy/standards/asb/rp-controls/microsoft.security-lt-5.md index cb897f81ad9c7..01615688990bb 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-lt-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-lt-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-ns-1.md b/includes/policy/standards/asb/rp-controls/microsoft.security-ns-1.md index ed33be2d1cf52..0f2fff59675d2 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-ns-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-ns-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-ns-3.md b/includes/policy/standards/asb/rp-controls/microsoft.security-ns-3.md index 05f4bffd849d5..98f2a7fe57b17 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-ns-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-ns-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-ns-5.md b/includes/policy/standards/asb/rp-controls/microsoft.security-ns-5.md index 95650eaf9515f..7d4a2fce22fee 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-ns-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-ns-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-ns-7.md b/includes/policy/standards/asb/rp-controls/microsoft.security-ns-7.md index ed33be2d1cf52..0f2fff59675d2 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-ns-7.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-ns-7.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-pa-1.md b/includes/policy/standards/asb/rp-controls/microsoft.security-pa-1.md index b629a4b45a3f5..517ddc2b3bba0 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-pa-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-pa-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-pa-2.md b/includes/policy/standards/asb/rp-controls/microsoft.security-pa-2.md index 413147413ae08..eb37ee5e60645 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-pa-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-pa-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-pa-4.md b/includes/policy/standards/asb/rp-controls/microsoft.security-pa-4.md index 4345df76001cf..239dd86e93232 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-pa-4.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-pa-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-pv-4.md b/includes/policy/standards/asb/rp-controls/microsoft.security-pv-4.md index cd25be30561f7..3f3a7e61a528a 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-pv-4.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-pv-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-pv-5.md b/includes/policy/standards/asb/rp-controls/microsoft.security-pv-5.md index fc206b3133eae..2381bc1f1525d 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-pv-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-pv-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.security-pv-6.md b/includes/policy/standards/asb/rp-controls/microsoft.security-pv-6.md index 532c5e05ce914..e469dc30841f6 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.security-pv-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.security-pv-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.servicebus-lt-3.md b/includes/policy/standards/asb/rp-controls/microsoft.servicebus-lt-3.md index 210532d2f45f2..e6d155917317f 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.servicebus-lt-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.servicebus-lt-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.servicefabric-dp-4.md b/includes/policy/standards/asb/rp-controls/microsoft.servicefabric-dp-4.md index 4490c72fe0d1e..ee3e42f59af6b 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.servicefabric-dp-4.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.servicefabric-dp-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.servicefabric-im-1.md b/includes/policy/standards/asb/rp-controls/microsoft.servicefabric-im-1.md index 69b927b453c62..6789691fb411e 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.servicefabric-im-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.servicefabric-im-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.signalrservice-ns-2.md b/includes/policy/standards/asb/rp-controls/microsoft.signalrservice-ns-2.md index 80f16bc5771ff..0e2bc73da1cd9 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.signalrservice-ns-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.signalrservice-ns-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.sql-air-5.md b/includes/policy/standards/asb/rp-controls/microsoft.sql-air-5.md index c6366060b0f74..2f043909ad0bb 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.sql-air-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.sql-air-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.sql-dp-2.md b/includes/policy/standards/asb/rp-controls/microsoft.sql-dp-2.md index d49c30ea197c6..02d7a0b76f654 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.sql-dp-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.sql-dp-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.sql-dp-3.md b/includes/policy/standards/asb/rp-controls/microsoft.sql-dp-3.md index 408613f8167ad..6b42027a4e301 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.sql-dp-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.sql-dp-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.sql-dp-4.md b/includes/policy/standards/asb/rp-controls/microsoft.sql-dp-4.md index 1e2b435eb36d0..bdd96e19b4298 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.sql-dp-4.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.sql-dp-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.sql-dp-5.md b/includes/policy/standards/asb/rp-controls/microsoft.sql-dp-5.md index 037374f36745d..d54261386d9ef 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.sql-dp-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.sql-dp-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.sql-im-1.md b/includes/policy/standards/asb/rp-controls/microsoft.sql-im-1.md index 769472eb0d743..aa0650cd3b6e3 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.sql-im-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.sql-im-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.sql-im-4.md b/includes/policy/standards/asb/rp-controls/microsoft.sql-im-4.md index 408613f8167ad..6b42027a4e301 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.sql-im-4.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.sql-im-4.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.sql-ir-3.md b/includes/policy/standards/asb/rp-controls/microsoft.sql-ir-3.md index c6366060b0f74..2f043909ad0bb 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.sql-ir-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.sql-ir-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.sql-lt-1.md b/includes/policy/standards/asb/rp-controls/microsoft.sql-lt-1.md index c6366060b0f74..2f043909ad0bb 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.sql-lt-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.sql-lt-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.sql-lt-2.md b/includes/policy/standards/asb/rp-controls/microsoft.sql-lt-2.md index c6366060b0f74..2f043909ad0bb 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.sql-lt-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.sql-lt-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.sql-lt-3.md b/includes/policy/standards/asb/rp-controls/microsoft.sql-lt-3.md index f7275a0924e89..f22e0a3a32175 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.sql-lt-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.sql-lt-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.sql-lt-6.md b/includes/policy/standards/asb/rp-controls/microsoft.sql-lt-6.md index 7c7202d6f5636..00842837f1e02 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.sql-lt-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.sql-lt-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.sql-ns-2.md b/includes/policy/standards/asb/rp-controls/microsoft.sql-ns-2.md index edf6f91e7f446..0377e0e4dae34 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.sql-ns-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.sql-ns-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.sql-pv-5.md b/includes/policy/standards/asb/rp-controls/microsoft.sql-pv-5.md index 34fa6f004cf68..70c7405243f2c 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.sql-pv-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.sql-pv-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.sql-pv-6.md b/includes/policy/standards/asb/rp-controls/microsoft.sql-pv-6.md index 877e6594ba759..0320c3f2c5acb 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.sql-pv-6.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.sql-pv-6.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.storage-am-2.md b/includes/policy/standards/asb/rp-controls/microsoft.storage-am-2.md index 243f195877b14..7134372acea8f 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.storage-am-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.storage-am-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.storage-dp-3.md b/includes/policy/standards/asb/rp-controls/microsoft.storage-dp-3.md index 0da1d9b546744..51f38748801bf 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.storage-dp-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.storage-dp-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.storage-dp-5.md b/includes/policy/standards/asb/rp-controls/microsoft.storage-dp-5.md index 16519f7957660..a616bad5a1c42 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.storage-dp-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.storage-dp-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.storage-im-1.md b/includes/policy/standards/asb/rp-controls/microsoft.storage-im-1.md index 6e66315b505d9..126468704e87b 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.storage-im-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.storage-im-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.storage-ns-2.md b/includes/policy/standards/asb/rp-controls/microsoft.storage-ns-2.md index 2c296ca97ea3c..04e432d5cf19e 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.storage-ns-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.storage-ns-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.streamanalytics-lt-3.md b/includes/policy/standards/asb/rp-controls/microsoft.streamanalytics-lt-3.md index 2b611455efd70..a48c3b9335edb 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.streamanalytics-lt-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.streamanalytics-lt-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.synapse-air-5.md b/includes/policy/standards/asb/rp-controls/microsoft.synapse-air-5.md index 213729fcb13b7..9b0a36c3bfb0c 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.synapse-air-5.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.synapse-air-5.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.synapse-im-1.md b/includes/policy/standards/asb/rp-controls/microsoft.synapse-im-1.md index 9c2ceb9b63112..a7cf154a5b77d 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.synapse-im-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.synapse-im-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.synapse-ir-3.md b/includes/policy/standards/asb/rp-controls/microsoft.synapse-ir-3.md index 213729fcb13b7..9b0a36c3bfb0c 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.synapse-ir-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.synapse-ir-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.synapse-lt-1.md b/includes/policy/standards/asb/rp-controls/microsoft.synapse-lt-1.md index 213729fcb13b7..9b0a36c3bfb0c 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.synapse-lt-1.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.synapse-lt-1.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.synapse-lt-2.md b/includes/policy/standards/asb/rp-controls/microsoft.synapse-lt-2.md index 213729fcb13b7..9b0a36c3bfb0c 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.synapse-lt-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.synapse-lt-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.virtualmachineimages-ns-2.md b/includes/policy/standards/asb/rp-controls/microsoft.virtualmachineimages-ns-2.md index a935235c20d5a..b0d6788ccbf9c 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.virtualmachineimages-ns-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.virtualmachineimages-ns-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.web-dp-3.md b/includes/policy/standards/asb/rp-controls/microsoft.web-dp-3.md index 26089610bc82f..11316f0d77f0f 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.web-dp-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.web-dp-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.web-im-3.md b/includes/policy/standards/asb/rp-controls/microsoft.web-im-3.md index 5abd89332457f..a7012362c2b38 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.web-im-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.web-im-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.web-lt-3.md b/includes/policy/standards/asb/rp-controls/microsoft.web-lt-3.md index 4ee24b3d4d1fd..ef8c89f03dedb 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.web-lt-3.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.web-lt-3.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.web-ns-8.md b/includes/policy/standards/asb/rp-controls/microsoft.web-ns-8.md index 82c951bad4b4e..fc203719aafce 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.web-ns-8.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.web-ns-8.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/asb/rp-controls/microsoft.web-pv-2.md b/includes/policy/standards/asb/rp-controls/microsoft.web-pv-2.md index f1c13f53007ff..65a14c50f51e4 100644 --- a/includes/policy/standards/asb/rp-controls/microsoft.web-pv-2.md +++ b/includes/policy/standards/asb/rp-controls/microsoft.web-pv-2.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.apimanagement.md b/includes/policy/standards/byrp/microsoft.apimanagement.md index a2ec8ade1b705..e21652d245f58 100644 --- a/includes/policy/standards/byrp/microsoft.apimanagement.md +++ b/includes/policy/standards/byrp/microsoft.apimanagement.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.appconfiguration.md b/includes/policy/standards/byrp/microsoft.appconfiguration.md index 2a447be7b541a..31e30f26ca132 100644 --- a/includes/policy/standards/byrp/microsoft.appconfiguration.md +++ b/includes/policy/standards/byrp/microsoft.appconfiguration.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.appplatform.md b/includes/policy/standards/byrp/microsoft.appplatform.md index c056459809a8f..88a91fe4ce1c4 100644 --- a/includes/policy/standards/byrp/microsoft.appplatform.md +++ b/includes/policy/standards/byrp/microsoft.appplatform.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.authorization.md b/includes/policy/standards/byrp/microsoft.authorization.md index c32156907ca56..49235f5b36ba9 100644 --- a/includes/policy/standards/byrp/microsoft.authorization.md +++ b/includes/policy/standards/byrp/microsoft.authorization.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.automation.md b/includes/policy/standards/byrp/microsoft.automation.md index 339d7f6faf67f..706495462a144 100644 --- a/includes/policy/standards/byrp/microsoft.automation.md +++ b/includes/policy/standards/byrp/microsoft.automation.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.azurearcdata.md b/includes/policy/standards/byrp/microsoft.azurearcdata.md index 30a266398111b..74bf5dc73b4ad 100644 --- a/includes/policy/standards/byrp/microsoft.azurearcdata.md +++ b/includes/policy/standards/byrp/microsoft.azurearcdata.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.azurestackhci.md b/includes/policy/standards/byrp/microsoft.azurestackhci.md index 61d8e756941a5..226bcc8d7fd81 100644 --- a/includes/policy/standards/byrp/microsoft.azurestackhci.md +++ b/includes/policy/standards/byrp/microsoft.azurestackhci.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.batch.md b/includes/policy/standards/byrp/microsoft.batch.md index 9dbaf6b3b6aed..72515b1374d1b 100644 --- a/includes/policy/standards/byrp/microsoft.batch.md +++ b/includes/policy/standards/byrp/microsoft.batch.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.botservice.md b/includes/policy/standards/byrp/microsoft.botservice.md index 462b2a9c59b2a..74d85e7acfe88 100644 --- a/includes/policy/standards/byrp/microsoft.botservice.md +++ b/includes/policy/standards/byrp/microsoft.botservice.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.cache.md b/includes/policy/standards/byrp/microsoft.cache.md index 0319ee9625f5e..28abab409c196 100644 --- a/includes/policy/standards/byrp/microsoft.cache.md +++ b/includes/policy/standards/byrp/microsoft.cache.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.classiccompute.md b/includes/policy/standards/byrp/microsoft.classiccompute.md index 9cbeaf2325a3c..1894ebfb919dd 100644 --- a/includes/policy/standards/byrp/microsoft.classiccompute.md +++ b/includes/policy/standards/byrp/microsoft.classiccompute.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.classicstorage.md b/includes/policy/standards/byrp/microsoft.classicstorage.md index 374e214ecb75c..ef1c1e65dbaf8 100644 --- a/includes/policy/standards/byrp/microsoft.classicstorage.md +++ b/includes/policy/standards/byrp/microsoft.classicstorage.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.cognitiveservices.md b/includes/policy/standards/byrp/microsoft.cognitiveservices.md index 56600ef1e57f7..edf8942df4c57 100644 --- a/includes/policy/standards/byrp/microsoft.cognitiveservices.md +++ b/includes/policy/standards/byrp/microsoft.cognitiveservices.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- @@ -17,18 +17,18 @@ For more information about this compliance standard, see |Domain |Control ID |Control title |Policy
(Azure portal) |Policy version
(GitHub) | |---|---|---|---|---| -|Access Control |AC.1.001 |Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|Access Control |AC.1.001 |Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |Access Control |AC.1.001 |Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | -|Access Control |AC.1.002 |Limit information system access to the types of transactions and functions that authorized users are permitted to execute. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|Access Control |AC.1.002 |Limit information system access to the types of transactions and functions that authorized users are permitted to execute. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |Access Control |AC.1.002 |Limit information system access to the types of transactions and functions that authorized users are permitted to execute. |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | -|Access Control |AC.2.016 |Control the flow of CUI in accordance with approved authorizations. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|Access Control |AC.2.016 |Control the flow of CUI in accordance with approved authorizations. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |Access Control |AC.2.016 |Control the flow of CUI in accordance with approved authorizations. |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | -|Configuration Management |CM.3.068 |Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|Configuration Management |CM.3.068 |Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |Configuration Management |CM.3.068 |Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | -|System and Communications Protection |SC.1.175 |Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System and Communications Protection |SC.1.175 |Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System and Communications Protection |SC.1.175 |Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |System and Communications Protection |SC.3.177 |Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. |[Cognitive Services accounts should enable data encryption with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CustomerManagedKey_Audit.json) | -|System and Communications Protection |SC.3.183 |Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System and Communications Protection |SC.3.183 |Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System and Communications Protection |SC.3.183 |Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | ## FedRAMP High @@ -45,17 +45,17 @@ For more information about this compliance standard, see |Access Control |AC-2 (1) |Automated System Account Management |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Access Control |AC-2 (7) |Role-Based Schemes |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Access Control |AC-3 |Access Enforcement |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|Access Control |AC-4 |Information Flow Enforcement |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|Access Control |AC-4 |Information Flow Enforcement |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |Access Control |AC-4 |Information Flow Enforcement |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |Access Control |AC-4 |Information Flow Enforcement |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | |Access Control |AC-17 |Remote Access |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | |Access Control |AC-17 (1) |Automated Monitoring / Control |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | |Identification And Authentication |IA-2 |Identification And Authentication (Organizational Users) |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Identification And Authentication |IA-4 |Identifier Management |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|System And Communications Protection |SC-7 |Boundary Protection |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System And Communications Protection |SC-7 |Boundary Protection |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System And Communications Protection |SC-7 |Boundary Protection |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |System And Communications Protection |SC-7 |Boundary Protection |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | -|System And Communications Protection |SC-7 (3) |Access Points |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System And Communications Protection |SC-7 (3) |Access Points |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System And Communications Protection |SC-7 (3) |Access Points |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |System And Communications Protection |SC-7 (3) |Access Points |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | |System And Communications Protection |SC-12 |Cryptographic Key Establishment And Management |[Cognitive Services accounts should enable data encryption with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CustomerManagedKey_Audit.json) | @@ -74,17 +74,17 @@ For more information about this compliance standard, see |Access Control |AC-2 (1) |Automated System Account Management |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Access Control |AC-2 (7) |Role-Based Schemes |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Access Control |AC-3 |Access Enforcement |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|Access Control |AC-4 |Information Flow Enforcement |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|Access Control |AC-4 |Information Flow Enforcement |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |Access Control |AC-4 |Information Flow Enforcement |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |Access Control |AC-4 |Information Flow Enforcement |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | |Access Control |AC-17 |Remote Access |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | |Access Control |AC-17 (1) |Automated Monitoring / Control |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | |Identification And Authentication |IA-2 |Identification And Authentication (Organizational Users) |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Identification And Authentication |IA-4 |Identifier Management |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|System And Communications Protection |SC-7 |Boundary Protection |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System And Communications Protection |SC-7 |Boundary Protection |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System And Communications Protection |SC-7 |Boundary Protection |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |System And Communications Protection |SC-7 |Boundary Protection |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | -|System And Communications Protection |SC-7 (3) |Access Points |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System And Communications Protection |SC-7 (3) |Access Points |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System And Communications Protection |SC-7 (3) |Access Points |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |System And Communications Protection |SC-7 (3) |Access Points |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | |System And Communications Protection |SC-12 |Cryptographic Key Establishment And Management |[Cognitive Services accounts should enable data encryption with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CustomerManagedKey_Audit.json) | @@ -102,7 +102,7 @@ standard, see |Domain |Control ID |Control title |Policy
(Azure portal) |Policy version
(GitHub) | |---|---|---|---|---| -|Network Security |NS-2 |Secure cloud services with network controls |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|Network Security |NS-2 |Secure cloud services with network controls |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |Network Security |NS-2 |Secure cloud services with network controls |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |Network Security |NS-2 |Secure cloud services with network controls |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | |Identity Management |IM-1 |Use centralized identity and authentication system |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | @@ -124,20 +124,20 @@ For more information about this compliance standard, see |Access Control |3.1.13 |Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | |Access Control |3.1.14 |Route remote access via managed access control points. |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | |Access Control |3.1.2 |Limit system access to the types of transactions and functions that authorized users are permitted to execute. |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|Access Control |3.1.3 |Control the flow of CUI in accordance with approved authorizations. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|Access Control |3.1.3 |Control the flow of CUI in accordance with approved authorizations. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |Access Control |3.1.3 |Control the flow of CUI in accordance with approved authorizations. |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |Access Control |3.1.3 |Control the flow of CUI in accordance with approved authorizations. |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | -|System and Communications Protection |3.13.1 |Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System and Communications Protection |3.13.1 |Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System and Communications Protection |3.13.1 |Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |System and Communications Protection |3.13.1 |Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | |System and Communications Protection |3.13.10 |Establish and manage cryptographic keys for cryptography employed in organizational systems. |[Cognitive Services accounts should enable data encryption with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CustomerManagedKey_Audit.json) | -|System and Communications Protection |3.13.2 |Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System and Communications Protection |3.13.2 |Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System and Communications Protection |3.13.2 |Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |System and Communications Protection |3.13.2 |Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | -|System and Communications Protection |3.13.5 |Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System and Communications Protection |3.13.5 |Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System and Communications Protection |3.13.5 |Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |System and Communications Protection |3.13.5 |Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | -|System and Communications Protection |3.13.6 |Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System and Communications Protection |3.13.6 |Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System and Communications Protection |3.13.6 |Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |Identification and Authentication |3.5.1 |Identify system users, processes acting on behalf of users, and devices. |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Identification and Authentication |3.5.2 |Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | @@ -158,17 +158,17 @@ For more information about this compliance standard, see |Access Control |AC-2 (1) |Automated System Account Management |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Access Control |AC-2 (7) |Role-Based Schemes |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Access Control |AC-3 |Access Enforcement |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|Access Control |AC-4 |Information Flow Enforcement |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|Access Control |AC-4 |Information Flow Enforcement |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |Access Control |AC-4 |Information Flow Enforcement |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |Access Control |AC-4 |Information Flow Enforcement |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | |Access Control |AC-17 |Remote Access |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | |Access Control |AC-17 (1) |Automated Monitoring / Control |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | |Identification And Authentication |IA-2 |Identification And Authentication (Organizational Users) |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Identification And Authentication |IA-4 |Identifier Management |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|System And Communications Protection |SC-7 |Boundary Protection |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System And Communications Protection |SC-7 |Boundary Protection |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System And Communications Protection |SC-7 |Boundary Protection |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |System And Communications Protection |SC-7 |Boundary Protection |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | -|System And Communications Protection |SC-7 (3) |Access Points |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System And Communications Protection |SC-7 (3) |Access Points |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System And Communications Protection |SC-7 (3) |Access Points |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |System And Communications Protection |SC-7 (3) |Access Points |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | |System And Communications Protection |SC-12 |Cryptographic Key Establishment And Management |[Cognitive Services accounts should enable data encryption with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CustomerManagedKey_Audit.json) | @@ -187,17 +187,17 @@ For more information about this compliance standard, see |Access Control |AC-2 (1) |Automated System Account Management |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Access Control |AC-2 (7) |Privileged User Accounts |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Access Control |AC-3 |Access Enforcement |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|Access Control |AC-4 |Information Flow Enforcement |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|Access Control |AC-4 |Information Flow Enforcement |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |Access Control |AC-4 |Information Flow Enforcement |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |Access Control |AC-4 |Information Flow Enforcement |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | |Access Control |AC-17 |Remote Access |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | |Access Control |AC-17 (1) |Monitoring and Control |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | |Identification and Authentication |IA-2 |Identification and Authentication (organizational Users) |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Identification and Authentication |IA-4 |Identifier Management |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|System and Communications Protection |SC-7 |Boundary Protection |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System and Communications Protection |SC-7 |Boundary Protection |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System and Communications Protection |SC-7 |Boundary Protection |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |System and Communications Protection |SC-7 |Boundary Protection |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | -|System and Communications Protection |SC-7 (3) |Access Points |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System and Communications Protection |SC-7 (3) |Access Points |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System and Communications Protection |SC-7 (3) |Access Points |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |System and Communications Protection |SC-7 (3) |Access Points |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | |System and Communications Protection |SC-12 |Cryptographic Key Establishment and Management |[Cognitive Services accounts should enable data encryption with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CustomerManagedKey_Audit.json) | @@ -213,7 +213,7 @@ For more information about this compliance standard, see |Domain |Control ID |Control title |Policy
(Azure portal) |Policy version
(GitHub) | |---|---|---|---|---| |U.05.2 Data protection - Cryptographic measures | U.05.2 |Data stored in the cloud service shall be protected to the latest state of the art. |[Cognitive Services accounts should enable data encryption with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CustomerManagedKey_Audit.json) | -|U.07.1 Data separation - Isolated | U.07.1 |Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|U.07.1 Data separation - Isolated | U.07.1 |Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |U.07.1 Data separation - Isolated | U.07.1 |Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |U.07.1 Data separation - Isolated | U.07.1 |Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_Audit.json) | |U.07.3 Data separation - Management features | U.07.3 |U.07.3 - The privileges to view or modify CSC data and/or encryption keys are granted in a controlled manner and use is logged. |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | @@ -232,7 +232,7 @@ For more information about this compliance standard, see |Domain |Control ID |Control title |Policy
(Azure portal) |Policy version
(GitHub) | |---|---|---|---|---| -|Anti-Phishing | |Anti-Phishing-14.1 |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|Anti-Phishing | |Anti-Phishing-14.1 |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |Anti-Phishing | |Anti-Phishing-14.1 |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) | |Metrics | |Metrics-21.1 |[Cognitive Services accounts should enable data encryption with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CustomerManagedKey_Audit.json) | diff --git a/includes/policy/standards/byrp/microsoft.compute.md b/includes/policy/standards/byrp/microsoft.compute.md index d5ece8cacc63b..a993ea65f87f5 100644 --- a/includes/policy/standards/byrp/microsoft.compute.md +++ b/includes/policy/standards/byrp/microsoft.compute.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- @@ -230,7 +230,7 @@ For more information about this compliance standard, see |Domain |Control ID |Control title |Policy
(Azure portal) |Policy version
(GitHub) | |---|---|---|---|---| -|2.1 | 2.1.13 |Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' |[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |[3.6.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) | +|2.1 | 2.1.13 |Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' |[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |[3.7.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) | |6 | 6.1 |Ensure that RDP access from the Internet is evaluated and restricted |[Management ports should be closed on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22730e10-96f6-4aac-ad84-9383d35b5917) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OpenManagementPortsOnVirtualMachines_Audit.json) | |6 | 6.2 |Ensure that SSH access from the Internet is evaluated and restricted |[Management ports should be closed on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22730e10-96f6-4aac-ad84-9383d35b5917) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OpenManagementPortsOnVirtualMachines_Audit.json) | |7 | 7.2 |Ensure Virtual Machines are utilizing Managed Disks |[Audit VMs that do not use managed disks](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F06a78e20-9358-41c9-923c-fb736d382a4d) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMRequireManagedDisk_Audit.json) | @@ -967,7 +967,7 @@ standard, see |Posture and Vulnerability Management |PV-5 |Perform vulnerability assessments |[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) | |Posture and Vulnerability Management |PV-5 |Perform vulnerability assessments |[Machines should have secret findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3ac7c827-eea2-4bde-acc7-9568cd320efa) |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSecretAssessment_Audit.json) | |Posture and Vulnerability Management |PV-6 |Rapidly and automatically remediate vulnerabilities |[[Preview]: System updates should be installed on your machines (powered by Update Center)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff85bf3e0-d513-442e-89c3-1784ad63382b) |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdatesV2_Audit.json) | -|Posture and Vulnerability Management |PV-6 |Rapidly and automatically remediate vulnerabilities |[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |[3.6.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) | +|Posture and Vulnerability Management |PV-6 |Rapidly and automatically remediate vulnerabilities |[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |[3.7.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) | |Posture and Vulnerability Management |PV-6 |Rapidly and automatically remediate vulnerabilities |[SQL servers on machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6ba6d016-e7c3-4842-b8f2-4992ebc0d72d) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSQLVulnerabilityAssessment_Audit.json) | |Posture and Vulnerability Management |PV-6 |Rapidly and automatically remediate vulnerabilities |[System updates on virtual machine scale sets should be installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3f317a7-a95c-4547-b7e7-11017ebdf2fe) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json) | |Posture and Vulnerability Management |PV-6 |Rapidly and automatically remediate vulnerabilities |[System updates should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F86b3d65f-7626-441e-b690-81a8b71cff60) |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json) | diff --git a/includes/policy/standards/byrp/microsoft.connectedvmwarevsphere.md b/includes/policy/standards/byrp/microsoft.connectedvmwarevsphere.md index 62f67040fe6c1..8eecba409bdd2 100644 --- a/includes/policy/standards/byrp/microsoft.connectedvmwarevsphere.md +++ b/includes/policy/standards/byrp/microsoft.connectedvmwarevsphere.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.containerinstance.md b/includes/policy/standards/byrp/microsoft.containerinstance.md index 83b0df5650bbf..dde8791e08a0a 100644 --- a/includes/policy/standards/byrp/microsoft.containerinstance.md +++ b/includes/policy/standards/byrp/microsoft.containerinstance.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.containerregistry.md b/includes/policy/standards/byrp/microsoft.containerregistry.md index 24bc7ca56c763..85bb029a79292 100644 --- a/includes/policy/standards/byrp/microsoft.containerregistry.md +++ b/includes/policy/standards/byrp/microsoft.containerregistry.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- @@ -21,7 +21,6 @@ For more information about this compliance standard, see |Access Control |AC.1.002 |Limit information system access to the types of transactions and functions that authorized users are permitted to execute. |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |Access Control |AC.2.016 |Control the flow of CUI in accordance with approved authorizations. |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |Configuration Management |CM.3.068 |Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | -|Risk Assessment |RM.2.143 |Remediate vulnerabilities in accordance with risk assessments. |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |System and Communications Protection |SC.1.175 |Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |System and Communications Protection |SC.3.177 |Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. |[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) | |System and Communications Protection |SC.3.183 |Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | @@ -40,7 +39,6 @@ For more information about this compliance standard, see |Access Control |AC-4 |Information Flow Enforcement |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |Access Control |AC-17 |Remote Access |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |Access Control |AC-17 (1) |Automated Monitoring / Control |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | -|Risk Assessment |RA-5 |Vulnerability Scanning |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |System And Communications Protection |SC-7 |Boundary Protection |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |System And Communications Protection |SC-7 |Boundary Protection |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |System And Communications Protection |SC-7 (3) |Access Points |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | @@ -61,7 +59,6 @@ For more information about this compliance standard, see |Access Control |AC-4 |Information Flow Enforcement |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |Access Control |AC-17 |Remote Access |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |Access Control |AC-17 (1) |Automated Monitoring / Control |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | -|Risk Assessment |RA-5 |Vulnerability Scanning |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |System And Communications Protection |SC-7 |Boundary Protection |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |System And Communications Protection |SC-7 |Boundary Protection |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |System And Communications Protection |SC-7 (3) |Access Points |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | @@ -103,9 +100,7 @@ standard, see |Network Security |NS-2 |Secure cloud services with network controls |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |Data Protection |DP-5 |Use customer-managed key option in data at rest encryption when required |[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) | |Posture and Vulnerability Management |PV-6 |Rapidly and automatically remediate vulnerabilities |[Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F090c7b07-b4ed-4561-ad20-e9075f3ccaff) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_AzureContainerRegistryVulnerabilityAssessment_Audit.json) | -|Posture and Vulnerability Management |PV-6 |Rapidly and automatically remediate vulnerabilities |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |DevOps Security |DS-6 |Enforce security of workload throughout DevOps lifecycle |[Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F090c7b07-b4ed-4561-ad20-e9075f3ccaff) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_AzureContainerRegistryVulnerabilityAssessment_Audit.json) | -|DevOps Security |DS-6 |Enforce security of workload throughout DevOps lifecycle |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | ## NIST SP 800-171 R2 @@ -123,8 +118,6 @@ For more information about this compliance standard, see |Access Control |3.1.14 |Route remote access via managed access control points. |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |Access Control |3.1.3 |Control the flow of CUI in accordance with approved authorizations. |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |Access Control |3.1.3 |Control the flow of CUI in accordance with approved authorizations. |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | -|Risk Assessment |3.11.2 |Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | -|Risk Assessment |3.11.3 |Remediate vulnerabilities in accordance with risk assessments. |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |System and Communications Protection |3.13.1 |Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |System and Communications Protection |3.13.1 |Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |System and Communications Protection |3.13.10 |Establish and manage cryptographic keys for cryptography employed in organizational systems. |[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) | @@ -148,7 +141,6 @@ For more information about this compliance standard, see |Access Control |AC-4 |Information Flow Enforcement |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |Access Control |AC-17 |Remote Access |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |Access Control |AC-17 (1) |Automated Monitoring / Control |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | -|Risk Assessment |RA-5 |Vulnerability Scanning |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |System And Communications Protection |SC-7 |Boundary Protection |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |System And Communications Protection |SC-7 |Boundary Protection |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |System And Communications Protection |SC-7 (3) |Access Points |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | @@ -169,7 +161,6 @@ For more information about this compliance standard, see |Access Control |AC-4 |Information Flow Enforcement |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |Access Control |AC-17 |Remote Access |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |Access Control |AC-17 (1) |Monitoring and Control |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | -|Risk Assessment |RA-5 |Vulnerability Monitoring and Scanning |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |System and Communications Protection |SC-7 |Boundary Protection |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |System and Communications Protection |SC-7 |Boundary Protection |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |System and Communications Protection |SC-7 (3) |Access Points |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | @@ -189,22 +180,8 @@ For more information about this compliance standard, see |U.05.2 Data protection - Cryptographic measures | U.05.2 |Data stored in the cloud service shall be protected to the latest state of the art. |[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) | |U.07.1 Data separation - Isolated | U.07.1 |Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |U.07.1 Data separation - Isolated | U.07.1 |Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | -|U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 |The malware protection runs on different environments. |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |U.11.3 Cryptoservices - Encrypted | U.11.3 |Sensitive data is always encrypted, with private keys managed by the CSC. |[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) | -## Reserve Bank of India - IT Framework for NBFC - -To review how the available Azure Policy built-ins for all Azure services map to this compliance -standard, see -[Azure Policy Regulatory Compliance - Reserve Bank of India - IT Framework for NBFC](../../../../articles/governance/policy/samples/rbi-itf-nbfc-2017.md). -For more information about this compliance standard, see -[Reserve Bank of India - IT Framework for NBFC](https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=10999&Mode=0#C1). - -|Domain |Control ID |Control title |Policy
(Azure portal) |Policy version
(GitHub) | -|---|---|---|---|---| -|IT Governance | 1 |IT Governance-1 |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | -|Information and Cyber Security | 3.3 |Vulnerability Management-3.3 |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | - ## Reserve Bank of India IT Framework for Banks v2016 To review how the available Azure Policy built-ins for all Azure services map to this compliance @@ -215,7 +192,6 @@ For more information about this compliance standard, see |Domain |Control ID |Control title |Policy
(Azure portal) |Policy version
(GitHub) | |---|---|---|---|---| -|Preventing Execution Of Unauthorised Software | |Security Update Management-2.3 |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |Metrics | |Metrics-21.1 |[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) | |Patch/Vulnerability & Change Management | |Patch/Vulnerability & Change Management-7.7 |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |Patch/Vulnerability & Change Management | |Patch/Vulnerability & Change Management-7.7 |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | @@ -235,7 +211,6 @@ For more information about this compliance standard, see |Network Resilience | 10.33 |Network Resilience - 10.33 |[Public network access should be disabled for Container registries](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fdf0491-d080-4575-b627-ad0e843cba0f) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PublicNetworkAccess_AuditDeny.json) | |Cloud Services | 10.53 |Cloud Services - 10.53 |[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) | |Data Loss Prevention (DLP) | 11.15 |Data Loss Prevention (DLP) - 11.15 |[Configure Container registries to disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3701552-92ea-433e-9d17-33b7f1208fc9) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PublicNetworkAccess_Modify.json) | -|Cybersecurity Operations | 11.8 |Cybersecurity Operations - 11.8 |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | ## SWIFT CSP-CSCF v2021 diff --git a/includes/policy/standards/byrp/microsoft.containerservice.md b/includes/policy/standards/byrp/microsoft.containerservice.md index 9db5afea9dbd2..2ee2ca31cdb78 100644 --- a/includes/policy/standards/byrp/microsoft.containerservice.md +++ b/includes/policy/standards/byrp/microsoft.containerservice.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- @@ -195,9 +195,7 @@ standard, see |Posture and Vulnerability Management |PV-2 |Audit and enforce secure configurations |[Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd2e7ea85-6b44-4317-a0be-1b951587f626) |[5.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerDisallowedSysAdminCapability.json) | |Posture and Vulnerability Management |PV-2 |Audit and enforce secure configurations |[Kubernetes clusters should not use the default namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9f061a12-e40d-4183-a00e-171812443373) |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockDefaultNamespace.json) | |Posture and Vulnerability Management |PV-6 |Rapidly and automatically remediate vulnerabilities |[Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17f4b1cc-c55c-4d94-b1f9-2978f6ac2957) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_K8sRuningImagesVulnerabilityAssessmentBasedOnMDVM_Audit.json) | -|Posture and Vulnerability Management |PV-6 |Rapidly and automatically remediate vulnerabilities |[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | |DevOps Security |DS-6 |Enforce security of workload throughout DevOps lifecycle |[Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17f4b1cc-c55c-4d94-b1f9-2978f6ac2957) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_K8sRuningImagesVulnerabilityAssessmentBasedOnMDVM_Audit.json) | -|DevOps Security |DS-6 |Enforce security of workload throughout DevOps lifecycle |[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | ## NIST SP 800-171 R2 @@ -349,7 +347,6 @@ For more information about this compliance standard, see |U.05.2 Data protection - Cryptographic measures | U.05.2 |Data stored in the cloud service shall be protected to the latest state of the art. |[Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F41425d9f-d1a5-499a-9932-f8ed8453932c) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_EncryptionAtHost_Deny.json) | |U.07.1 Data separation - Isolated | U.07.1 |Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | |U.07.3 Data separation - Management features | U.07.3 |U.07.3 - The privileges to view or modify CSC data and/or encryption keys are granted in a controlled manner and use is logged. |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | -|U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 |The malware protection runs on different environments. |[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | |U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 |The malware protection runs on different environments. |[Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffb893a29-21bb-418c-a157-e99480ec364c) |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UpgradeVersion_KubernetesService_Audit.json) | |U.10.2 Access to IT services and data - Users | U.10.2 |Under the responsibility of the CSP, access is granted to administrators. |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | |U.10.3 Access to IT services and data - Users | U.10.3 |Only users with authenticated equipment can access IT services and data. |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | @@ -374,7 +371,6 @@ For more information about this compliance standard, see |Information and Cyber Security | 3.1.a |Identification and Classification of Information Assets-3.1 |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | |Information and Cyber Security | 3.1.c |Role based Access Control-3.1 |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | |Information and Cyber Security | 3.1.g |Trails-3.1 |[Azure Kubernetes Service clusters should have Defender profile enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1840de2-8088-4ea8-b153-b4c723e9cb01) |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_AKS_SecurityProfile_Audit.json) | -|Information and Cyber Security | 3.3 |Vulnerability Management-3.3 |[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | |Information and Cyber Security | 3.3 |Vulnerability Management-3.3 |[Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffb893a29-21bb-418c-a157-e99480ec364c) |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UpgradeVersion_KubernetesService_Audit.json) | ## Reserve Bank of India IT Framework for Banks v2016 @@ -390,7 +386,6 @@ For more information about this compliance standard, see |Patch/Vulnerability & Change Management | |Patch/Vulnerability & Change Management-7.7 |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | |Advanced Real-Timethreat Defenceand Management | |Advanced Real-Timethreat Defenceand Management-13.2 |[Azure Kubernetes Service clusters should have Defender profile enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1840de2-8088-4ea8-b153-b4c723e9cb01) |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_AKS_SecurityProfile_Audit.json) | |User Access Control / Management | |User Access Control / Management-8.1 |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | -|Preventing Execution Of Unauthorised Software | |Security Update Management-2.3 |[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | ## RMIT Malaysia diff --git a/includes/policy/standards/byrp/microsoft.databox.md b/includes/policy/standards/byrp/microsoft.databox.md index 5725f7b34892b..f5ff4dcadc6fa 100644 --- a/includes/policy/standards/byrp/microsoft.databox.md +++ b/includes/policy/standards/byrp/microsoft.databox.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.databoxedge.md b/includes/policy/standards/byrp/microsoft.databoxedge.md index 6784c9ce8eabb..ab81748fe1cce 100644 --- a/includes/policy/standards/byrp/microsoft.databoxedge.md +++ b/includes/policy/standards/byrp/microsoft.databoxedge.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.databricks.md b/includes/policy/standards/byrp/microsoft.databricks.md index 723f776e43131..4f6bdfc7b7ffb 100644 --- a/includes/policy/standards/byrp/microsoft.databricks.md +++ b/includes/policy/standards/byrp/microsoft.databricks.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.datafactory.md b/includes/policy/standards/byrp/microsoft.datafactory.md index 45e6edf85d9d7..aa66db4c38544 100644 --- a/includes/policy/standards/byrp/microsoft.datafactory.md +++ b/includes/policy/standards/byrp/microsoft.datafactory.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.datalakeanalytics.md b/includes/policy/standards/byrp/microsoft.datalakeanalytics.md index ac8619d4772ba..16a7b9863c78d 100644 --- a/includes/policy/standards/byrp/microsoft.datalakeanalytics.md +++ b/includes/policy/standards/byrp/microsoft.datalakeanalytics.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.datalakestore.md b/includes/policy/standards/byrp/microsoft.datalakestore.md index cb98802b8724c..4f087df04645c 100644 --- a/includes/policy/standards/byrp/microsoft.datalakestore.md +++ b/includes/policy/standards/byrp/microsoft.datalakestore.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.dbformariadb.md b/includes/policy/standards/byrp/microsoft.dbformariadb.md index 340ca151784d9..274b3d12fe65e 100644 --- a/includes/policy/standards/byrp/microsoft.dbformariadb.md +++ b/includes/policy/standards/byrp/microsoft.dbformariadb.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.dbformysql.md b/includes/policy/standards/byrp/microsoft.dbformysql.md index 08640720b3f78..424696df15fd6 100644 --- a/includes/policy/standards/byrp/microsoft.dbformysql.md +++ b/includes/policy/standards/byrp/microsoft.dbformysql.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.dbforpostgresql.md b/includes/policy/standards/byrp/microsoft.dbforpostgresql.md index 791c914d0b775..43bdfd6a46742 100644 --- a/includes/policy/standards/byrp/microsoft.dbforpostgresql.md +++ b/includes/policy/standards/byrp/microsoft.dbforpostgresql.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- @@ -206,8 +206,8 @@ standard, see |---|---|---|---|---| |Network Security |NS-2 |Secure cloud services with network controls |[Private endpoint should be enabled for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0564d078-92f5-4f97-8398-b9f58a51f70b) |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json) | |Network Security |NS-2 |Secure cloud services with network controls |[Public network access should be disabled for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb52376f7-9612-48a1-81cd-1ffe4b61032c) |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_DisablePublicNetworkAccess_Audit.json) | +|Identity Management |IM-1 |Use centralized identity and authentication system |[A Microsoft Entra administrator should be provisioned for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4dec045-250a-48c2-b5cc-e0c4eec8b5b4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_AuditServerADAdmins_Audit.json) | |Data Protection |DP-3 |Encrypt sensitive data in transit |[Enforce SSL connection should be enabled for PostgreSQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd158790f-bfb0-486c-8631-2dc6b4e8e6af) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableSSL_Audit.json) | -|Data Protection |DP-4 |Enable data at rest encryption by default |[A Microsoft Entra administrator should be provisioned for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4dec045-250a-48c2-b5cc-e0c4eec8b5b4) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_AuditServerADAdmins_Audit.json) | |Data Protection |DP-5 |Use customer-managed key option in data at rest encryption when required |[PostgreSQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F18adea5e-f416-4d0f-8aa8-d24321e3e274) |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableByok_Audit.json) | |Logging and Threat Detection |LT-1 |Enable threat detection capabilities |[Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd38668f5-d155-42c7-ab3d-9b57b50f8fbf) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/PostgreSQL_FlexibleServers_DefenderForSQL_Audit.json) | |Logging and Threat Detection |LT-2 |Enable threat detection for identity and access management |[Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd38668f5-d155-42c7-ab3d-9b57b50f8fbf) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/PostgreSQL_FlexibleServers_DefenderForSQL_Audit.json) | diff --git a/includes/policy/standards/byrp/microsoft.devices.md b/includes/policy/standards/byrp/microsoft.devices.md index 178562e954710..4bcaedbea8008 100644 --- a/includes/policy/standards/byrp/microsoft.devices.md +++ b/includes/policy/standards/byrp/microsoft.devices.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.documentdb.md b/includes/policy/standards/byrp/microsoft.documentdb.md index c549d296ea5f1..6842ee35b1ce2 100644 --- a/includes/policy/standards/byrp/microsoft.documentdb.md +++ b/includes/policy/standards/byrp/microsoft.documentdb.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.edgeorder.md b/includes/policy/standards/byrp/microsoft.edgeorder.md index 76a95d938a80b..699067f421496 100644 --- a/includes/policy/standards/byrp/microsoft.edgeorder.md +++ b/includes/policy/standards/byrp/microsoft.edgeorder.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.eventgrid.md b/includes/policy/standards/byrp/microsoft.eventgrid.md index 78f355ddf3acd..54d1a9c898b9c 100644 --- a/includes/policy/standards/byrp/microsoft.eventgrid.md +++ b/includes/policy/standards/byrp/microsoft.eventgrid.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.eventhub.md b/includes/policy/standards/byrp/microsoft.eventhub.md index 15f313cc43707..e983aece719ca 100644 --- a/includes/policy/standards/byrp/microsoft.eventhub.md +++ b/includes/policy/standards/byrp/microsoft.eventhub.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.guestconfiguration.md b/includes/policy/standards/byrp/microsoft.guestconfiguration.md index 33e571392b84c..1d812a71e67b3 100644 --- a/includes/policy/standards/byrp/microsoft.guestconfiguration.md +++ b/includes/policy/standards/byrp/microsoft.guestconfiguration.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.hdinsight.md b/includes/policy/standards/byrp/microsoft.hdinsight.md index 0ca0bc88585bc..789342f472609 100644 --- a/includes/policy/standards/byrp/microsoft.hdinsight.md +++ b/includes/policy/standards/byrp/microsoft.hdinsight.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.healthcareapis.md b/includes/policy/standards/byrp/microsoft.healthcareapis.md index 2b1bbbb4f1b5e..e34a039f75509 100644 --- a/includes/policy/standards/byrp/microsoft.healthcareapis.md +++ b/includes/policy/standards/byrp/microsoft.healthcareapis.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.hybridcompute.md b/includes/policy/standards/byrp/microsoft.hybridcompute.md index 40e77796a0104..bc0eb4527d112 100644 --- a/includes/policy/standards/byrp/microsoft.hybridcompute.md +++ b/includes/policy/standards/byrp/microsoft.hybridcompute.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- @@ -62,7 +62,7 @@ For more information about this compliance standard, see |Domain |Control ID |Control title |Policy
(Azure portal) |Policy version
(GitHub) | |---|---|---|---|---| -|2.1 | 2.1.13 |Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' |[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |[3.6.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) | +|2.1 | 2.1.13 |Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' |[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |[3.7.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) | |7 | 7.6 |Ensure that Endpoint Protection for all Virtual Machines is installed |[Endpoint protection should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f7c564c-0a90-4d44-b7e1-9d456cffaee8) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EndpointProtectionShouldBeInstalledOnYourMachines_Audit.json) | ## CMMC Level 3 @@ -306,7 +306,7 @@ standard, see |Posture and Vulnerability Management |PV-4 |Audit and enforce secure configurations for compute resources |[Linux machines should meet requirements for the Azure compute security baseline](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc9b3da7-8347-4380-8e70-0a0361d8dedd) |[2.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/AzureLinuxBaseline_AINE.json) | |Posture and Vulnerability Management |PV-4 |Audit and enforce secure configurations for compute resources |[Windows machines should meet requirements of the Azure compute security baseline](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72650e9f-97bc-4b2a-ab5f-9781a9fcecbc) |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/AzureWindowsBaseline_AINE.json) | |Posture and Vulnerability Management |PV-6 |Rapidly and automatically remediate vulnerabilities |[[Preview]: System updates should be installed on your machines (powered by Update Center)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff85bf3e0-d513-442e-89c3-1784ad63382b) |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdatesV2_Audit.json) | -|Posture and Vulnerability Management |PV-6 |Rapidly and automatically remediate vulnerabilities |[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |[3.6.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) | +|Posture and Vulnerability Management |PV-6 |Rapidly and automatically remediate vulnerabilities |[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |[3.7.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) | |Posture and Vulnerability Management |PV-6 |Rapidly and automatically remediate vulnerabilities |[SQL servers on machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6ba6d016-e7c3-4842-b8f2-4992ebc0d72d) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSQLVulnerabilityAssessment_Audit.json) | |Endpoint Security |ES-2 |Use modern anti-malware software |[Endpoint protection health issues should be resolved on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EndpointProtectionHealthIssues_Audit.json) | |Endpoint Security |ES-2 |Use modern anti-malware software |[Endpoint protection should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f7c564c-0a90-4d44-b7e1-9d456cffaee8) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EndpointProtectionShouldBeInstalledOnYourMachines_Audit.json) | diff --git a/includes/policy/standards/byrp/microsoft.insights.md b/includes/policy/standards/byrp/microsoft.insights.md index de7d96a93d2cf..95d0b8e712ad9 100644 --- a/includes/policy/standards/byrp/microsoft.insights.md +++ b/includes/policy/standards/byrp/microsoft.insights.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.keyvault.md b/includes/policy/standards/byrp/microsoft.keyvault.md index c23c3ad9b184a..a17c8326fd086 100644 --- a/includes/policy/standards/byrp/microsoft.keyvault.md +++ b/includes/policy/standards/byrp/microsoft.keyvault.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.kubernetes.md b/includes/policy/standards/byrp/microsoft.kubernetes.md index 34e5976cb7522..330caecad320f 100644 --- a/includes/policy/standards/byrp/microsoft.kubernetes.md +++ b/includes/policy/standards/byrp/microsoft.kubernetes.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.kubernetesconfiguration.md b/includes/policy/standards/byrp/microsoft.kubernetesconfiguration.md index 9de05d5f377c7..99c1e4a15a7ca 100644 --- a/includes/policy/standards/byrp/microsoft.kubernetesconfiguration.md +++ b/includes/policy/standards/byrp/microsoft.kubernetesconfiguration.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.kusto.md b/includes/policy/standards/byrp/microsoft.kusto.md index b515ca7a0a2ac..df2b34ecb82c9 100644 --- a/includes/policy/standards/byrp/microsoft.kusto.md +++ b/includes/policy/standards/byrp/microsoft.kusto.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.logic.md b/includes/policy/standards/byrp/microsoft.logic.md index d920edef1452c..09d5dbbde678e 100644 --- a/includes/policy/standards/byrp/microsoft.logic.md +++ b/includes/policy/standards/byrp/microsoft.logic.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.machinelearningservices.md b/includes/policy/standards/byrp/microsoft.machinelearningservices.md index 57a5ab0494768..7155e19984c22 100644 --- a/includes/policy/standards/byrp/microsoft.machinelearningservices.md +++ b/includes/policy/standards/byrp/microsoft.machinelearningservices.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- @@ -57,7 +57,7 @@ standard, see |Network Security |NS-2 |Secure cloud services with network controls |[Azure Machine Learning Computes should be in a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7804b5c7-01dc-4723-969b-ae300cc07ff1) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Vnet_Audit.json) | |Network Security |NS-2 |Secure cloud services with network controls |[Azure Machine Learning Workspaces should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F438c38d2-3772-465a-a9cc-7a6666a275ce) |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PublicNetworkAccessDisabled_Audit.json) | |Network Security |NS-2 |Secure cloud services with network controls |[Azure Machine Learning workspaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F45e05259-1eb5-4f70-9574-baf73e9d219b) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateEndpoint_Audit_V2.json) | -|Identity Management |IM-1 |Use centralized identity and authentication system |[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) | +|Identity Management |IM-1 |Use centralized identity and authentication system |[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) | |Data Protection |DP-5 |Use customer-managed key option in data at rest encryption when required |[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | |Logging and Threat Detection |LT-3 |Enable logging for security investigation |[Resource logs in Azure Machine Learning Workspaces should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fafe0c3be-ba3b-4544-ba52-0c99672a8ad6) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/AuditDiagnosticLog_Audit.json) | |Posture and Vulnerability Management |PV-2 |Audit and enforce secure configurations |[Azure Machine Learning compute instances should be recreated to get the latest software updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff110a506-2dcb-422e-bcea-d533fc8c35e2) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/ComputeInstanceUpdates_Audit.json) | @@ -131,9 +131,9 @@ For more information about this compliance standard, see |U.07.1 Data separation - Isolated | U.07.1 |Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. |[Azure Machine Learning Computes should be in a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7804b5c7-01dc-4723-969b-ae300cc07ff1) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Vnet_Audit.json) | |U.07.1 Data separation - Isolated | U.07.1 |Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. |[Azure Machine Learning Workspaces should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F438c38d2-3772-465a-a9cc-7a6666a275ce) |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PublicNetworkAccessDisabled_Audit.json) | |U.07.1 Data separation - Isolated | U.07.1 |Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. |[Azure Machine Learning workspaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F45e05259-1eb5-4f70-9574-baf73e9d219b) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateEndpoint_Audit_V2.json) | -|U.10.2 Access to IT services and data - Users | U.10.2 |Under the responsibility of the CSP, access is granted to administrators. |[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) | -|U.10.3 Access to IT services and data - Users | U.10.3 |Only users with authenticated equipment can access IT services and data. |[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) | -|U.10.5 Access to IT services and data - Competent | U.10.5 |Access to IT services and data is limited by technical measures and has been implemented. |[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) | +|U.10.2 Access to IT services and data - Users | U.10.2 |Under the responsibility of the CSP, access is granted to administrators. |[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) | +|U.10.3 Access to IT services and data - Users | U.10.3 |Only users with authenticated equipment can access IT services and data. |[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) | +|U.10.5 Access to IT services and data - Competent | U.10.5 |Access to IT services and data is limited by technical measures and has been implemented. |[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) | |U.11.3 Cryptoservices - Encrypted | U.11.3 |Sensitive data is always encrypted, with private keys managed by the CSC. |[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | |U.15.1 Logging and monitoring - Events logged | U.15.1 |The violation of the policy rules is recorded by the CSP and the CSC. |[Resource logs in Azure Machine Learning Workspaces should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fafe0c3be-ba3b-4544-ba52-0c99672a8ad6) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/AuditDiagnosticLog_Audit.json) | diff --git a/includes/policy/standards/byrp/microsoft.network.md b/includes/policy/standards/byrp/microsoft.network.md index a8b4b2f82db40..dfa770d1f37df 100644 --- a/includes/policy/standards/byrp/microsoft.network.md +++ b/includes/policy/standards/byrp/microsoft.network.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.operationalinsights.md b/includes/policy/standards/byrp/microsoft.operationalinsights.md index 400112e09bcbd..633799fe1af9f 100644 --- a/includes/policy/standards/byrp/microsoft.operationalinsights.md +++ b/includes/policy/standards/byrp/microsoft.operationalinsights.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.operationsmanagement.md b/includes/policy/standards/byrp/microsoft.operationsmanagement.md index 8df995705174f..052ecc8ccd995 100644 --- a/includes/policy/standards/byrp/microsoft.operationsmanagement.md +++ b/includes/policy/standards/byrp/microsoft.operationsmanagement.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.recoveryservices.md b/includes/policy/standards/byrp/microsoft.recoveryservices.md index 228572f40bf39..2254b2bceb942 100644 --- a/includes/policy/standards/byrp/microsoft.recoveryservices.md +++ b/includes/policy/standards/byrp/microsoft.recoveryservices.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.resources.md b/includes/policy/standards/byrp/microsoft.resources.md index 09a5e2954c5a6..4e66288d8efa8 100644 --- a/includes/policy/standards/byrp/microsoft.resources.md +++ b/includes/policy/standards/byrp/microsoft.resources.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.search.md b/includes/policy/standards/byrp/microsoft.search.md index c97298b0fdac4..4fa14d168daf0 100644 --- a/includes/policy/standards/byrp/microsoft.search.md +++ b/includes/policy/standards/byrp/microsoft.search.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- @@ -53,12 +53,12 @@ For more information about this compliance standard, see |Domain |Control ID |Control title |Policy
(Azure portal) |Policy version
(GitHub) | |---|---|---|---|---| -|Access Control |AC.1.001 |Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | -|Access Control |AC.1.002 |Limit information system access to the types of transactions and functions that authorized users are permitted to execute. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | -|Access Control |AC.2.016 |Control the flow of CUI in accordance with approved authorizations. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | -|Configuration Management |CM.3.068 |Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | -|System and Communications Protection |SC.1.175 |Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | -|System and Communications Protection |SC.3.183 |Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|Access Control |AC.1.001 |Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|Access Control |AC.1.002 |Limit information system access to the types of transactions and functions that authorized users are permitted to execute. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|Access Control |AC.2.016 |Control the flow of CUI in accordance with approved authorizations. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|Configuration Management |CM.3.068 |Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System and Communications Protection |SC.1.175 |Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System and Communications Protection |SC.3.183 |Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | ## FedRAMP High @@ -74,7 +74,7 @@ For more information about this compliance standard, see |Access Control |AC-2 (1) |Automated System Account Management |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Access Control |AC-2 (7) |Role-Based Schemes |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Access Control |AC-3 |Access Enforcement |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|Access Control |AC-4 |Information Flow Enforcement |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|Access Control |AC-4 |Information Flow Enforcement |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |Access Control |AC-4 |Information Flow Enforcement |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |Access Control |AC-4 |Information Flow Enforcement |[Azure Cognitive Search services should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | |Access Control |AC-4 |Information Flow Enforcement |[Azure Cognitive Search services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fda3595-9f2b-4592-8675-4231d6fa82fe) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/PrivateEndpoints_Audit.json) | @@ -88,11 +88,11 @@ For more information about this compliance standard, see |Audit And Accountability |AU-12 (1) |System-Wide / Time-Correlated Audit Trail |[Resource logs in Search services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4330a05-a843-4bc8-bf9a-cacce50c67f4) |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/AuditDiagnosticLog_Audit.json) | |Identification And Authentication |IA-2 |Identification And Authentication (Organizational Users) |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Identification And Authentication |IA-4 |Identifier Management |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|System And Communications Protection |SC-7 |Boundary Protection |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System And Communications Protection |SC-7 |Boundary Protection |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System And Communications Protection |SC-7 |Boundary Protection |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |System And Communications Protection |SC-7 |Boundary Protection |[Azure Cognitive Search services should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | |System And Communications Protection |SC-7 |Boundary Protection |[Azure Cognitive Search services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fda3595-9f2b-4592-8675-4231d6fa82fe) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/PrivateEndpoints_Audit.json) | -|System And Communications Protection |SC-7 (3) |Access Points |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System And Communications Protection |SC-7 (3) |Access Points |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System And Communications Protection |SC-7 (3) |Access Points |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |System And Communications Protection |SC-7 (3) |Access Points |[Azure Cognitive Search services should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | |System And Communications Protection |SC-7 (3) |Access Points |[Azure Cognitive Search services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fda3595-9f2b-4592-8675-4231d6fa82fe) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/PrivateEndpoints_Audit.json) | @@ -111,7 +111,7 @@ For more information about this compliance standard, see |Access Control |AC-2 (1) |Automated System Account Management |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Access Control |AC-2 (7) |Role-Based Schemes |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Access Control |AC-3 |Access Enforcement |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|Access Control |AC-4 |Information Flow Enforcement |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|Access Control |AC-4 |Information Flow Enforcement |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |Access Control |AC-4 |Information Flow Enforcement |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |Access Control |AC-4 |Information Flow Enforcement |[Azure Cognitive Search services should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | |Access Control |AC-4 |Information Flow Enforcement |[Azure Cognitive Search services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fda3595-9f2b-4592-8675-4231d6fa82fe) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/PrivateEndpoints_Audit.json) | @@ -122,11 +122,11 @@ For more information about this compliance standard, see |Audit And Accountability |AU-12 |Audit Generation |[Resource logs in Search services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4330a05-a843-4bc8-bf9a-cacce50c67f4) |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/AuditDiagnosticLog_Audit.json) | |Identification And Authentication |IA-2 |Identification And Authentication (Organizational Users) |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Identification And Authentication |IA-4 |Identifier Management |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|System And Communications Protection |SC-7 |Boundary Protection |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System And Communications Protection |SC-7 |Boundary Protection |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System And Communications Protection |SC-7 |Boundary Protection |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |System And Communications Protection |SC-7 |Boundary Protection |[Azure Cognitive Search services should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | |System And Communications Protection |SC-7 |Boundary Protection |[Azure Cognitive Search services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fda3595-9f2b-4592-8675-4231d6fa82fe) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/PrivateEndpoints_Audit.json) | -|System And Communications Protection |SC-7 (3) |Access Points |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System And Communications Protection |SC-7 (3) |Access Points |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System And Communications Protection |SC-7 (3) |Access Points |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |System And Communications Protection |SC-7 (3) |Access Points |[Azure Cognitive Search services should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | |System And Communications Protection |SC-7 (3) |Access Points |[Azure Cognitive Search services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fda3595-9f2b-4592-8675-4231d6fa82fe) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/PrivateEndpoints_Audit.json) | @@ -156,7 +156,7 @@ standard, see |Domain |Control ID |Control title |Policy
(Azure portal) |Policy version
(GitHub) | |---|---|---|---|---| -|Network Security |NS-2 |Secure cloud services with network controls |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|Network Security |NS-2 |Secure cloud services with network controls |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |Identity Management |IM-1 |Use centralized identity and authentication system |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Logging and Threat Detection |LT-3 |Enable logging for security investigation |[Resource logs in Search services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4330a05-a843-4bc8-bf9a-cacce50c67f4) |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/AuditDiagnosticLog_Audit.json) | @@ -180,23 +180,23 @@ For more information about this compliance standard, see |Access Control |3.1.14 |Route remote access via managed access control points. |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |Access Control |3.1.14 |Route remote access via managed access control points. |[Azure Cognitive Search services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fda3595-9f2b-4592-8675-4231d6fa82fe) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/PrivateEndpoints_Audit.json) | |Access Control |3.1.2 |Limit system access to the types of transactions and functions that authorized users are permitted to execute. |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|Access Control |3.1.3 |Control the flow of CUI in accordance with approved authorizations. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|Access Control |3.1.3 |Control the flow of CUI in accordance with approved authorizations. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |Access Control |3.1.3 |Control the flow of CUI in accordance with approved authorizations. |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |Access Control |3.1.3 |Control the flow of CUI in accordance with approved authorizations. |[Azure Cognitive Search services should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | |Access Control |3.1.3 |Control the flow of CUI in accordance with approved authorizations. |[Azure Cognitive Search services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fda3595-9f2b-4592-8675-4231d6fa82fe) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/PrivateEndpoints_Audit.json) | -|System and Communications Protection |3.13.1 |Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System and Communications Protection |3.13.1 |Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System and Communications Protection |3.13.1 |Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |System and Communications Protection |3.13.1 |Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |[Azure Cognitive Search services should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | |System and Communications Protection |3.13.1 |Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |[Azure Cognitive Search services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fda3595-9f2b-4592-8675-4231d6fa82fe) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/PrivateEndpoints_Audit.json) | -|System and Communications Protection |3.13.2 |Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System and Communications Protection |3.13.2 |Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System and Communications Protection |3.13.2 |Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |System and Communications Protection |3.13.2 |Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. |[Azure Cognitive Search services should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | |System and Communications Protection |3.13.2 |Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. |[Azure Cognitive Search services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fda3595-9f2b-4592-8675-4231d6fa82fe) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/PrivateEndpoints_Audit.json) | -|System and Communications Protection |3.13.5 |Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System and Communications Protection |3.13.5 |Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System and Communications Protection |3.13.5 |Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |System and Communications Protection |3.13.5 |Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |[Azure Cognitive Search services should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | |System and Communications Protection |3.13.5 |Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |[Azure Cognitive Search services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fda3595-9f2b-4592-8675-4231d6fa82fe) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/PrivateEndpoints_Audit.json) | -|System and Communications Protection |3.13.6 |Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System and Communications Protection |3.13.6 |Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System and Communications Protection |3.13.6 |Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |[Azure Cognitive Search services should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | |Audit and Accountability |3.3.1 |Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity |[Resource logs in Search services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4330a05-a843-4bc8-bf9a-cacce50c67f4) |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/AuditDiagnosticLog_Audit.json) | |Audit and Accountability |3.3.2 |Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. |[Resource logs in Search services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4330a05-a843-4bc8-bf9a-cacce50c67f4) |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/AuditDiagnosticLog_Audit.json) | @@ -219,7 +219,7 @@ For more information about this compliance standard, see |Access Control |AC-2 (1) |Automated System Account Management |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Access Control |AC-2 (7) |Role-Based Schemes |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Access Control |AC-3 |Access Enforcement |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|Access Control |AC-4 |Information Flow Enforcement |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|Access Control |AC-4 |Information Flow Enforcement |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |Access Control |AC-4 |Information Flow Enforcement |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |Access Control |AC-4 |Information Flow Enforcement |[Azure Cognitive Search services should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | |Access Control |AC-4 |Information Flow Enforcement |[Azure Cognitive Search services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fda3595-9f2b-4592-8675-4231d6fa82fe) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/PrivateEndpoints_Audit.json) | @@ -233,11 +233,11 @@ For more information about this compliance standard, see |Audit And Accountability |AU-12 (1) |System-Wide / Time-Correlated Audit Trail |[Resource logs in Search services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4330a05-a843-4bc8-bf9a-cacce50c67f4) |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/AuditDiagnosticLog_Audit.json) | |Identification And Authentication |IA-2 |Identification And Authentication (Organizational Users) |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Identification And Authentication |IA-4 |Identifier Management |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|System And Communications Protection |SC-7 |Boundary Protection |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System And Communications Protection |SC-7 |Boundary Protection |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System And Communications Protection |SC-7 |Boundary Protection |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |System And Communications Protection |SC-7 |Boundary Protection |[Azure Cognitive Search services should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | |System And Communications Protection |SC-7 |Boundary Protection |[Azure Cognitive Search services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fda3595-9f2b-4592-8675-4231d6fa82fe) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/PrivateEndpoints_Audit.json) | -|System And Communications Protection |SC-7 (3) |Access Points |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System And Communications Protection |SC-7 (3) |Access Points |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System And Communications Protection |SC-7 (3) |Access Points |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |System And Communications Protection |SC-7 (3) |Access Points |[Azure Cognitive Search services should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | |System And Communications Protection |SC-7 (3) |Access Points |[Azure Cognitive Search services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fda3595-9f2b-4592-8675-4231d6fa82fe) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/PrivateEndpoints_Audit.json) | @@ -256,7 +256,7 @@ For more information about this compliance standard, see |Access Control |AC-2 (1) |Automated System Account Management |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Access Control |AC-2 (7) |Privileged User Accounts |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Access Control |AC-3 |Access Enforcement |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|Access Control |AC-4 |Information Flow Enforcement |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|Access Control |AC-4 |Information Flow Enforcement |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |Access Control |AC-4 |Information Flow Enforcement |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |Access Control |AC-4 |Information Flow Enforcement |[Azure Cognitive Search services should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | |Access Control |AC-4 |Information Flow Enforcement |[Azure Cognitive Search services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fda3595-9f2b-4592-8675-4231d6fa82fe) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/PrivateEndpoints_Audit.json) | @@ -270,11 +270,11 @@ For more information about this compliance standard, see |Audit and Accountability |AU-12 (1) |System-wide and Time-correlated Audit Trail |[Resource logs in Search services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4330a05-a843-4bc8-bf9a-cacce50c67f4) |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/AuditDiagnosticLog_Audit.json) | |Identification and Authentication |IA-2 |Identification and Authentication (organizational Users) |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | |Identification and Authentication |IA-4 |Identifier Management |[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) | -|System and Communications Protection |SC-7 |Boundary Protection |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System and Communications Protection |SC-7 |Boundary Protection |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System and Communications Protection |SC-7 |Boundary Protection |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |System and Communications Protection |SC-7 |Boundary Protection |[Azure Cognitive Search services should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | |System and Communications Protection |SC-7 |Boundary Protection |[Azure Cognitive Search services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fda3595-9f2b-4592-8675-4231d6fa82fe) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/PrivateEndpoints_Audit.json) | -|System and Communications Protection |SC-7 (3) |Access Points |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|System and Communications Protection |SC-7 (3) |Access Points |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |System and Communications Protection |SC-7 (3) |Access Points |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |System and Communications Protection |SC-7 (3) |Access Points |[Azure Cognitive Search services should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | |System and Communications Protection |SC-7 (3) |Access Points |[Azure Cognitive Search services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fda3595-9f2b-4592-8675-4231d6fa82fe) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/PrivateEndpoints_Audit.json) | @@ -289,7 +289,7 @@ For more information about this compliance standard, see |Domain |Control ID |Control title |Policy
(Azure portal) |Policy version
(GitHub) | |---|---|---|---|---| -|U.07.1 Data separation - Isolated | U.07.1 |Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|U.07.1 Data separation - Isolated | U.07.1 |Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | |U.07.1 Data separation - Isolated | U.07.1 |Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) | |U.07.1 Data separation - Isolated | U.07.1 |Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. |[Azure Cognitive Search services should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) | |U.07.1 Data separation - Isolated | U.07.1 |Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. |[Azure Cognitive Search services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fda3595-9f2b-4592-8675-4231d6fa82fe) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/PrivateEndpoints_Audit.json) | @@ -309,7 +309,7 @@ For more information about this compliance standard, see |Domain |Control ID |Control title |Policy
(Azure portal) |Policy version
(GitHub) | |---|---|---|---|---| -|Anti-Phishing | |Anti-Phishing-14.1 |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | +|Anti-Phishing | |Anti-Phishing-14.1 |[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) | ## RMIT Malaysia diff --git a/includes/policy/standards/byrp/microsoft.security.md b/includes/policy/standards/byrp/microsoft.security.md index af8358b6e5b19..034b55f375a92 100644 --- a/includes/policy/standards/byrp/microsoft.security.md +++ b/includes/policy/standards/byrp/microsoft.security.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- @@ -386,7 +386,6 @@ For more information about this compliance standard, see |Risk Assessment |RM.2.143 |Remediate vulnerabilities in accordance with risk assessments. |[Azure Defender for Key Vault should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e6763cc-5078-4e64-889d-ff4d9a839047) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKeyVaults_Audit.json) | |Risk Assessment |RM.2.143 |Remediate vulnerabilities in accordance with risk assessments. |[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) | |Risk Assessment |RM.2.143 |Remediate vulnerabilities in accordance with risk assessments. |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | -|Risk Assessment |RM.2.143 |Remediate vulnerabilities in accordance with risk assessments. |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |Risk Assessment |RM.2.143 |Remediate vulnerabilities in accordance with risk assessments. |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) | |Risk Assessment |RM.2.143 |Remediate vulnerabilities in accordance with risk assessments. |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | |Risk Assessment |RM.2.143 |Remediate vulnerabilities in accordance with risk assessments. |[Security Center standard pricing tier should be selected](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1181c5f-672a-477a-979a-7d58aa086233) |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Standard_pricing_tier.json) | @@ -593,7 +592,6 @@ For more information about this compliance standard, see |Risk Assessment |RA-5 |Vulnerability Scanning |[Azure Defender for Resource Manager should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3d20c29-b36d-48fe-808b-99a87530ad99) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnResourceManager_Audit.json) | |Risk Assessment |RA-5 |Vulnerability Scanning |[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) | |Risk Assessment |RA-5 |Vulnerability Scanning |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | -|Risk Assessment |RA-5 |Vulnerability Scanning |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |Risk Assessment |RA-5 |Vulnerability Scanning |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) | |Risk Assessment |RA-5 |Vulnerability Scanning |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | |Risk Assessment |RA-5 |Vulnerability Scanning |[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | @@ -761,7 +759,6 @@ For more information about this compliance standard, see |Risk Assessment |RA-5 |Vulnerability Scanning |[Azure Defender for Resource Manager should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3d20c29-b36d-48fe-808b-99a87530ad99) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnResourceManager_Audit.json) | |Risk Assessment |RA-5 |Vulnerability Scanning |[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) | |Risk Assessment |RA-5 |Vulnerability Scanning |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | -|Risk Assessment |RA-5 |Vulnerability Scanning |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |Risk Assessment |RA-5 |Vulnerability Scanning |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) | |Risk Assessment |RA-5 |Vulnerability Scanning |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | |Risk Assessment |RA-5 |Vulnerability Scanning |[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | @@ -1091,9 +1088,7 @@ standard, see |Posture and Vulnerability Management |PV-5 |Perform vulnerability assessments |[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) | |Posture and Vulnerability Management |PV-6 |Rapidly and automatically remediate vulnerabilities |[[Preview]: System updates should be installed on your machines (powered by Update Center)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff85bf3e0-d513-442e-89c3-1784ad63382b) |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdatesV2_Audit.json) | |Posture and Vulnerability Management |PV-6 |Rapidly and automatically remediate vulnerabilities |[Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F090c7b07-b4ed-4561-ad20-e9075f3ccaff) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_AzureContainerRegistryVulnerabilityAssessment_Audit.json) | -|Posture and Vulnerability Management |PV-6 |Rapidly and automatically remediate vulnerabilities |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |Posture and Vulnerability Management |PV-6 |Rapidly and automatically remediate vulnerabilities |[Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17f4b1cc-c55c-4d94-b1f9-2978f6ac2957) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_K8sRuningImagesVulnerabilityAssessmentBasedOnMDVM_Audit.json) | -|Posture and Vulnerability Management |PV-6 |Rapidly and automatically remediate vulnerabilities |[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | |Posture and Vulnerability Management |PV-6 |Rapidly and automatically remediate vulnerabilities |[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | |Posture and Vulnerability Management |PV-6 |Rapidly and automatically remediate vulnerabilities |[SQL servers on machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6ba6d016-e7c3-4842-b8f2-4992ebc0d72d) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSQLVulnerabilityAssessment_Audit.json) | |Posture and Vulnerability Management |PV-6 |Rapidly and automatically remediate vulnerabilities |[System updates on virtual machine scale sets should be installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3f317a7-a95c-4547-b7e7-11017ebdf2fe) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json) | @@ -1120,9 +1115,7 @@ standard, see |Incident Response |AIR-5 |Detection and analysis - prioritize incidents |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | |Incident Response |AIR-5 |Detection and analysis - prioritize incidents |[SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc6283572-73bb-4deb-bf2c-7a2b8f7462cb) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DFSQL_AMA_Migration_Audit.json) | |DevOps Security |DS-6 |Enforce security of workload throughout DevOps lifecycle |[Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F090c7b07-b4ed-4561-ad20-e9075f3ccaff) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_AzureContainerRegistryVulnerabilityAssessment_Audit.json) | -|DevOps Security |DS-6 |Enforce security of workload throughout DevOps lifecycle |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |DevOps Security |DS-6 |Enforce security of workload throughout DevOps lifecycle |[Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17f4b1cc-c55c-4d94-b1f9-2978f6ac2957) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_K8sRuningImagesVulnerabilityAssessmentBasedOnMDVM_Audit.json) | -|DevOps Security |DS-6 |Enforce security of workload throughout DevOps lifecycle |[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | |DevOps Security |DS-6 |Enforce security of workload throughout DevOps lifecycle |[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) | ## NIST SP 800-171 R2 @@ -1169,7 +1162,6 @@ For more information about this compliance standard, see |Risk Assessment |3.11.2 |Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. |[Azure Defender for Resource Manager should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3d20c29-b36d-48fe-808b-99a87530ad99) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnResourceManager_Audit.json) | |Risk Assessment |3.11.2 |Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. |[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) | |Risk Assessment |3.11.2 |Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | -|Risk Assessment |3.11.2 |Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |Risk Assessment |3.11.2 |Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) | |Risk Assessment |3.11.2 |Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | |Risk Assessment |3.11.2 |Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. |[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | @@ -1185,7 +1177,6 @@ For more information about this compliance standard, see |Risk Assessment |3.11.3 |Remediate vulnerabilities in accordance with risk assessments. |[Azure Defender for Resource Manager should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3d20c29-b36d-48fe-808b-99a87530ad99) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnResourceManager_Audit.json) | |Risk Assessment |3.11.3 |Remediate vulnerabilities in accordance with risk assessments. |[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) | |Risk Assessment |3.11.3 |Remediate vulnerabilities in accordance with risk assessments. |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | -|Risk Assessment |3.11.3 |Remediate vulnerabilities in accordance with risk assessments. |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |Risk Assessment |3.11.3 |Remediate vulnerabilities in accordance with risk assessments. |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) | |Risk Assessment |3.11.3 |Remediate vulnerabilities in accordance with risk assessments. |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | |Risk Assessment |3.11.3 |Remediate vulnerabilities in accordance with risk assessments. |[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | @@ -1494,7 +1485,6 @@ For more information about this compliance standard, see |Risk Assessment |RA-5 |Vulnerability Scanning |[Azure Defender for Resource Manager should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3d20c29-b36d-48fe-808b-99a87530ad99) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnResourceManager_Audit.json) | |Risk Assessment |RA-5 |Vulnerability Scanning |[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) | |Risk Assessment |RA-5 |Vulnerability Scanning |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | -|Risk Assessment |RA-5 |Vulnerability Scanning |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |Risk Assessment |RA-5 |Vulnerability Scanning |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) | |Risk Assessment |RA-5 |Vulnerability Scanning |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | |Risk Assessment |RA-5 |Vulnerability Scanning |[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | @@ -1704,7 +1694,6 @@ For more information about this compliance standard, see |Risk Assessment |RA-5 |Vulnerability Monitoring and Scanning |[Azure Defender for Resource Manager should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3d20c29-b36d-48fe-808b-99a87530ad99) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnResourceManager_Audit.json) | |Risk Assessment |RA-5 |Vulnerability Monitoring and Scanning |[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) | |Risk Assessment |RA-5 |Vulnerability Monitoring and Scanning |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | -|Risk Assessment |RA-5 |Vulnerability Monitoring and Scanning |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |Risk Assessment |RA-5 |Vulnerability Monitoring and Scanning |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) | |Risk Assessment |RA-5 |Vulnerability Monitoring and Scanning |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | |Risk Assessment |RA-5 |Vulnerability Monitoring and Scanning |[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | @@ -1876,8 +1865,6 @@ For more information about this compliance standard, see |U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 |The malware protection runs on different environments. |[Azure Defender for Resource Manager should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3d20c29-b36d-48fe-808b-99a87530ad99) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnResourceManager_Audit.json) | |U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 |The malware protection runs on different environments. |[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) | |U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 |The malware protection runs on different environments. |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | -|U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 |The malware protection runs on different environments. |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | -|U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 |The malware protection runs on different environments. |[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | |U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 |The malware protection runs on different environments. |[Endpoint protection solution should be installed on virtual machine scale sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F26a828e1-e88f-464e-bbb3-c134a282b9de) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json) | |U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 |The malware protection runs on different environments. |[IP Forwarding on your virtual machine should be disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd352bd5-2853-4985-bf0d-73806b4a5744) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_IPForwardingOnVirtualMachines_Audit.json) | |U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 |The malware protection runs on different environments. |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) | @@ -2100,7 +2087,6 @@ For more information about this compliance standard, see |Domain |Control ID |Control title |Policy
(Azure portal) |Policy version
(GitHub) | |---|---|---|---|---| |IT Governance | 1 |IT Governance-1 |[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) | -|IT Governance | 1 |IT Governance-1 |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |IT Governance | 1 |IT Governance-1 |[Email notification for high severity alerts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6e2593d9-add6-4083-9c9b-4b7d2188c899) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification.json) | |IT Governance | 1 |IT Governance-1 |[Email notification to subscription owner for high severity alerts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b15565f-aa9e-48ba-8619-45960f2c314d) |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification_to_subscription_owner.json) | |IT Governance | 1 |IT Governance-1 |[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | @@ -2168,8 +2154,6 @@ For more information about this compliance standard, see |Information and Cyber Security | 3.1.g |Trails-3.1 |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | |Information and Cyber Security | 3.1.h |Public Key Infrastructure (PKI)-3.1 |[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) | |Information and Cyber Security | 3.3 |Vulnerability Management-3.3 |[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) | -|Information and Cyber Security | 3.3 |Vulnerability Management-3.3 |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | -|Information and Cyber Security | 3.3 |Vulnerability Management-3.3 |[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | |Information and Cyber Security | 3.3 |Vulnerability Management-3.3 |[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | |Information and Cyber Security | 3.3 |Vulnerability Management-3.3 |[SQL servers on machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6ba6d016-e7c3-4842-b8f2-4992ebc0d72d) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSQLVulnerabilityAssessment_Audit.json) | |Information and Cyber Security | 3.3 |Vulnerability Management-3.3 |[System updates on virtual machine scale sets should be installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3f317a7-a95c-4547-b7e7-11017ebdf2fe) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json) | @@ -2217,8 +2201,6 @@ For more information about this compliance standard, see |Network Management And Security | |Security Operation Centre-4.9 |[Azure Defender for Resource Manager should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3d20c29-b36d-48fe-808b-99a87530ad99) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnResourceManager_Audit.json) | |Network Management And Security | |Security Operation Centre-4.9 |[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) | |Network Management And Security | |Security Operation Centre-4.9 |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | -|Preventing Execution Of Unauthorised Software | |Security Update Management-2.3 |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | -|Preventing Execution Of Unauthorised Software | |Security Update Management-2.3 |[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) | |User Access Control / Management | |User Access Control / Management-8.1 |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |User Access Control / Management | |User Access Control / Management-8.1 |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) | |Network Management And Security | |Anomaly Detection-4.7 |[Email notification for high severity alerts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6e2593d9-add6-4083-9c9b-4b7d2188c899) |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification.json) | @@ -2311,7 +2293,6 @@ For more information about this compliance standard, see |Cybersecurity Operations | 11.5 |Cybersecurity Operations - 11.5 |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) | |Cybersecurity Operations | 11.5 |Cybersecurity Operations - 11.5 |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | |Cybersecurity Operations | 11.8 |Cybersecurity Operations - 11.8 |[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) | -|Cybersecurity Operations | 11.8 |Cybersecurity Operations - 11.8 |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |Cybersecurity Operations | 11.8 |Cybersecurity Operations - 11.8 |[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) | |Control Measures on Cybersecurity | Appendix 5.2 |Control Measures on Cybersecurity - Appendix 5.2 |[Adaptive application controls for defining safe applications should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a6b606-51aa-4496-8bb7-64b11cf66adc) |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControls_Audit.json) | |Control Measures on Cybersecurity | Appendix 5.2 |Control Measures on Cybersecurity - Appendix 5.2 |[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) | diff --git a/includes/policy/standards/byrp/microsoft.servicebus.md b/includes/policy/standards/byrp/microsoft.servicebus.md index edae0852fa97b..24d9c6ade0bef 100644 --- a/includes/policy/standards/byrp/microsoft.servicebus.md +++ b/includes/policy/standards/byrp/microsoft.servicebus.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.servicefabric.md b/includes/policy/standards/byrp/microsoft.servicefabric.md index 3e4e485ad51eb..15bc19ac951b7 100644 --- a/includes/policy/standards/byrp/microsoft.servicefabric.md +++ b/includes/policy/standards/byrp/microsoft.servicefabric.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.signalrservice.md b/includes/policy/standards/byrp/microsoft.signalrservice.md index 9ccbb72e0c5d3..f9840c493a6df 100644 --- a/includes/policy/standards/byrp/microsoft.signalrservice.md +++ b/includes/policy/standards/byrp/microsoft.signalrservice.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.sql.md b/includes/policy/standards/byrp/microsoft.sql.md index 40b9731fc258f..4202d660dc7ea 100644 --- a/includes/policy/standards/byrp/microsoft.sql.md +++ b/includes/policy/standards/byrp/microsoft.sql.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.storage.md b/includes/policy/standards/byrp/microsoft.storage.md index 728fa830df600..61287453d3d88 100644 --- a/includes/policy/standards/byrp/microsoft.storage.md +++ b/includes/policy/standards/byrp/microsoft.storage.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.storagecache.md b/includes/policy/standards/byrp/microsoft.storagecache.md index 1ee9f24a68bc8..5131c5f5ce67a 100644 --- a/includes/policy/standards/byrp/microsoft.storagecache.md +++ b/includes/policy/standards/byrp/microsoft.storagecache.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.storagesync.md b/includes/policy/standards/byrp/microsoft.storagesync.md index 6a6d5fa6d8d70..4e9cb7ccaa519 100644 --- a/includes/policy/standards/byrp/microsoft.storagesync.md +++ b/includes/policy/standards/byrp/microsoft.storagesync.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.streamanalytics.md b/includes/policy/standards/byrp/microsoft.streamanalytics.md index 90241f5da001b..bbd2f0e89a117 100644 --- a/includes/policy/standards/byrp/microsoft.streamanalytics.md +++ b/includes/policy/standards/byrp/microsoft.streamanalytics.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.synapse.md b/includes/policy/standards/byrp/microsoft.synapse.md index 2618d0f29bd7c..3cb3d893ab0b0 100644 --- a/includes/policy/standards/byrp/microsoft.synapse.md +++ b/includes/policy/standards/byrp/microsoft.synapse.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.virtualmachineimages.md b/includes/policy/standards/byrp/microsoft.virtualmachineimages.md index 305a6ea8f4f5d..e55bdece44d1e 100644 --- a/includes/policy/standards/byrp/microsoft.virtualmachineimages.md +++ b/includes/policy/standards/byrp/microsoft.virtualmachineimages.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated --- diff --git a/includes/policy/standards/byrp/microsoft.web.md b/includes/policy/standards/byrp/microsoft.web.md index c3a311a2f9308..0400da72c977a 100644 --- a/includes/policy/standards/byrp/microsoft.web.md +++ b/includes/policy/standards/byrp/microsoft.web.md @@ -2,7 +2,7 @@ author: davidsmatlak ms.service: azure-policy ms.topic: include -ms.date: 03/14/2024 +ms.date: 03/18/2024 ms.author: davidsmatlak ms.custom: generated ---