2.1.1 Ensure Security Defaults is enabled on Microsoft Entra ID | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
2.1.2 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users | IDENTIFICATION AND AUTHENTICATION |
2.1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled | IDENTIFICATION AND AUTHENTICATION |
2.3 Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
2.4 Ensure Guest Users Are Reviewed on a Regular Basis | ACCESS CONTROL |
2.5 Ensure That 'Number of methods required to reset' is set to '2' | IDENTIFICATION AND AUTHENTICATION |
2.6 Ensure that account 'Lockout Threshold' is less than or equal to '10' | ACCESS CONTROL |
2.7 Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' | ACCESS CONTROL |
2.8 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
2.9 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' | ACCESS CONTROL |
2.10 Ensure that 'Notify users on password resets?' is set to 'Yes' | ACCESS CONTROL |
2.11 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | ACCESS CONTROL |
2.12 Ensure 'User consent for applications' is set to 'Do not allow user consent' | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
2.14 Ensure That 'Users Can Register Applications' Is Set to 'No' | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
2.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION |
2.17 Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
2.22 Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' | IDENTIFICATION AND AUTHENTICATION |
2.23 Ensure That No Custom Subscription Administrator Roles Exist | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
2.26 Ensure fewer than 5 users have global administrator assignment | ACCESS CONTROL |
3.1.1.1 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' | RISK ASSESSMENT |
3.1.10 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
3.1.11 Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
3.1.12 Ensure That 'All users with the following roles' is set to 'Owner' | INCIDENT RESPONSE |
3.1.13 Ensure 'Additional email addresses' is Configured with a Security Contact Email | INCIDENT RESPONSE |
3.1.14 Ensure That 'Notify about alerts with the following severity' is Set to 'High' | SYSTEM AND INFORMATION INTEGRITY |
3.3.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
3.3.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
3.3.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
3.3.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
3.3.5 Ensure the Key Vault is Recoverable | CONTINGENCY PLANNING |
4.1 Ensure that 'Secure transfer required' is set to 'Enabled' | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
4.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND INFORMATION INTEGRITY |
4.4 Ensure that Storage Account Access Keys are Periodically Regenerated | ACCESS CONTROL, CONFIGURATION MANAGEMENT, MAINTENANCE |
4.5 Ensure that Shared Access Signature Tokens Expire Within an Hour | ACCESS CONTROL |
4.6 Ensure that 'Public Network Access' is 'Disabled' for storage accounts | ACCESS CONTROL, MEDIA PROTECTION |
4.7 Ensure Default Network Access Rule for Storage Accounts is Set to Deny | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
4.10 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage | CONTINGENCY PLANNING |
4.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
4.16 Ensure 'Cross Tenant Replication' is not enabled | ACCESS CONTROL, MEDIA PROTECTION |
4.17 Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled' | ACCESS CONTROL, MEDIA PROTECTION |
5.1.1 Ensure that 'Auditing' is set to 'On' | AUDIT AND ACCOUNTABILITY |
5.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | ACCESS CONTROL, MEDIA PROTECTION |
5.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers | ACCESS CONTROL |
5.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
5.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days' | AUDIT AND ACCOUNTABILITY |
5.1.7 Ensure Public Network Access is Disabled | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
5.2.1 Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
5.2.2 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server | AUDIT AND ACCOUNTABILITY |
5.2.3 Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server | AUDIT AND ACCOUNTABILITY |
5.2.4 Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server | AUDIT AND ACCOUNTABILITY |