| 1.1.1 Ensure Security Defaults is enabled on Azure Active Directory | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 1.1.2 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users | IDENTIFICATION AND AUTHENTICATION |
| 1.1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled | IDENTIFICATION AND AUTHENTICATION |
| 1.2.1 Ensure Trusted Locations Are Defined | ACCESS CONTROL, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.2 Ensure that an exclusionary Geographic Access Policy is considered | ACCESS CONTROL |
| 1.2.3 Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 1.2.4 Ensure that A Multi-factor Authentication Policy Exists for All Users | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 1.2.5 Ensure Multi-factor Authentication is Required for Risky Sign-ins | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 1.2.6 Ensure Multi-factor Authentication is Required for Azure Management | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 1.3 Ensure that 'Users can create Azure AD Tenants' is set to 'No' | ACCESS CONTROL |
| 1.5 Ensure Guest Users Are Reviewed on a Regular Basis | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 1.6 Ensure That 'Number of methods required to reset' is set to '2' | IDENTIFICATION AND AUTHENTICATION |
| 1.7 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 1.8 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' | ACCESS CONTROL |
| 1.9 Ensure that 'Notify users on password resets?' is set to 'Yes' | ACCESS CONTROL |
| 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | ACCESS CONTROL |
| 1.11 Ensure 'User consent for applications' is set to 'Do not allow user consent' | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
| 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No' | CONFIGURATION MANAGEMENT |
| 1.14 Ensure That 'Users Can Register Applications' Is Set to 'No' | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION, RISK ASSESSMENT |
| 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | IDENTIFICATION AND AUTHENTICATION |
| 1.23 Ensure That No Custom Subscription Administrator Roles Exist | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.1.13 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 2.1.14 Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND INFORMATION INTEGRITY |
| 2.1.15 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' | RISK ASSESSMENT |
| 2.1.18 Ensure That 'All users with the following roles' is set to 'Owner' | INCIDENT RESPONSE |
| 2.1.19 Ensure 'Additional email addresses' is Configured with a Security Contact Email | INCIDENT RESPONSE |
| 2.1.20 Ensure That 'Notify about alerts with the following severity' is Set to 'High' | SYSTEM AND INFORMATION INTEGRITY |
| 3.1 Ensure that 'Secure transfer required' is set to 'Enabled' | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND INFORMATION INTEGRITY |
| 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated | ACCESS CONTROL, CONFIGURATION MANAGEMENT, MAINTENANCE |
| 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour | ACCESS CONTROL |
| 3.7 Ensure that 'Public access level' is disabled for storage accounts with blob containers | ACCESS CONTROL, MEDIA PROTECTION |
| 3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.10 Ensure Private Endpoints are used to access Storage Accounts | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage | CONTINGENCY PLANNING |
| 3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.1 Ensure that 'Auditing' is set to 'On' | AUDIT AND ACCOUNTABILITY |
| 4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers | ACCESS CONTROL |
| 4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days' | AUDIT AND ACCOUNTABILITY |
| 4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server | RISK ASSESSMENT |
| 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | AUDIT AND ACCOUNTABILITY |
| 4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | AUDIT AND ACCOUNTABILITY |
| 4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | AUDIT AND ACCOUNTABILITY |
| 4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | AUDIT AND ACCOUNTABILITY |
| 4.3.6 Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | AUDIT AND ACCOUNTABILITY |
