| 2.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users | IDENTIFICATION AND AUTHENTICATION |
| 2.2.1 Ensure Trusted Locations Are Defined | ACCESS CONTROL, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.2.2 Ensure that an exclusionary Geographic Access Policy is considered | ACCESS CONTROL |
| 2.2.3 Ensure that an exclusionary Device code flow policy is considered | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 2.2.4 Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups | IDENTIFICATION AND AUTHENTICATION |
| 2.2.5 Ensure that A Multi-factor Authentication Policy Exists for All Users | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 2.2.6 Ensure Multi-factor Authentication is Required for Risky Sign-ins | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 2.2.7 Ensure Multi-factor Authentication is Required for Windows Azure Service Management API | IDENTIFICATION AND AUTHENTICATION |
| 2.2.8 Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals | IDENTIFICATION AND AUTHENTICATION |
| 2.13 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' | CONFIGURATION MANAGEMENT |
| 2.16 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION |
| 2.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.20 Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION |
| 2.25 Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one' | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 3.1.1.2 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.3.1 Ensure That Microsoft Defender for Servers Is Set to 'On' | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 3.1.3.2 Ensure that 'Vulnerability assessment for machines' component status is set to 'On' | RISK ASSESSMENT |
| 3.1.3.3 Ensure that 'Endpoint protection' component status is set to 'On' | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 3.1.3.4 Ensure that 'Agentless scanning for machines' component status is set to 'On' | RISK ASSESSMENT |
| 3.1.3.5 Ensure that 'File Integrity Monitoring' component status is set to 'On' | RISK ASSESSMENT |
| 3.1.4.1 Ensure That Microsoft Defender for Containers Is Set To 'On' | RISK ASSESSMENT |
| 3.1.4.2 Ensure that 'Agentless discovery for Kubernetes' component status 'On' | RISK ASSESSMENT |
| 3.1.4.3 Ensure that 'Agentless container vulnerability assessment' component status is 'On' | RISK ASSESSMENT |
| 3.1.5.1 Ensure That Microsoft Defender for Storage Is Set To 'On' | RISK ASSESSMENT |
| 3.1.6.1 Ensure That Microsoft Defender for App Services Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.1.7.1 Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.1.7.2 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.1.7.3 Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.1.7.4 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.1.8.1 Ensure That Microsoft Defender for Key Vault Is Set To 'On' | RISK ASSESSMENT |
| 3.1.9.1 Ensure That Microsoft Defender for Resource Manager Is Set To 'On' | ACCESS CONTROL, RISK ASSESSMENT |
| 3.1.15 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled | RISK ASSESSMENT |
| 3.1.16 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 3.3.6 Enable Role Based Access Control for Azure Key Vault | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION |
| 3.3.7 Ensure that Private Endpoints are Used for Azure Key Vault | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 4.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled' | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.8 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access | ACCESS CONTROL, MEDIA PROTECTION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 4.9 Ensure Private Endpoints are used to access Storage Accounts | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.12 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests | AUDIT AND ACCOUNTABILITY |
| 4.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests | AUDIT AND ACCOUNTABILITY |
| 4.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests | AUDIT AND ACCOUNTABILITY |
| 5.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.3.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible server | AUDIT AND ACCOUNTABILITY |
| 5.3.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL flexible server | AUDIT AND ACCOUNTABILITY |
