| 2.1.1.1.1 Ensure Critical Data is Encrypted with Microsoft Managed Keys (MMK) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.2.1.1 Ensure public network access is Disabled | ACCESS CONTROL, MEDIA PROTECTION |
| 2.2.1.2 Ensure Network Access Rules are set to Deny-by-default | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.1 Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet) | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.2 Ensure that network security groups are configured for Databricks subnets | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.4 Ensure that users and groups are synced from Microsoft Entra ID to Azure Databricks | ACCESS CONTROL |
| 3.1.5 Ensure that Unity Catalog is configured for Azure Databricks | ACCESS CONTROL |
| 3.1.6 Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens | ACCESS CONTROL |
| 3.1.7 Ensure that diagnostic log delivery is configured for Azure Databricks | AUDIT AND ACCOUNTABILITY |
| 6.1.1 Ensure that 'security defaults' is enabled in Microsoft Entra ID | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 6.1.2 Ensure that 'multifactor authentication' is 'enabled' for all users | IDENTIFICATION AND AUTHENTICATION |
| 6.1.3 Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled | IDENTIFICATION AND AUTHENTICATION |
| 6.3.1 Ensure that Azure admin accounts are not used for daily operations | ACCESS CONTROL |
| 6.3.2 Ensure that guest users are reviewed on a regular basis | ACCESS CONTROL |
| 6.3.3 Ensure that use of the 'User Access Administrator' role is restricted | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 6.3.4 Ensure that all 'privileged' role assignments are periodically reviewed | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 6.4 Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 6.5 Ensure that 'Number of methods required to reset' is set to '2' | IDENTIFICATION AND AUTHENTICATION |
| 6.6 Ensure that account 'Lockout threshold' is less than or equal to '10' | ACCESS CONTROL |
| 6.7 Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' | ACCESS CONTROL |
| 6.8 Ensure that a 'Custom banned password list' is set to 'Enforce' | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 6.9 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' | ACCESS CONTROL |
| 6.10 Ensure that 'Notify users on password resets?' is set to 'Yes' | ACCESS CONTROL |
| 6.11 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | ACCESS CONTROL |
| 6.12 Ensure that 'User consent for applications' is set to 'Do not allow user consent' | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
| 6.14 Ensure that 'Users can register applications' is set to 'No' | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 6.15 Ensure that 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION |
| 6.17 Ensure that 'Restrict access to Microsoft Entra admin center' is set to 'Yes' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 6.22 Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' | IDENTIFICATION AND AUTHENTICATION |
| 6.23 Ensure that no custom subscription administrator roles exist | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 6.26 Ensure fewer than 5 users have global administrator assignment | ACCESS CONTROL |
| 7.1.1.1 Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs | AUDIT AND ACCOUNTABILITY |
| 7.1.1.2 Ensure Diagnostic Setting captures appropriate categories | AUDIT AND ACCOUNTABILITY |
| 7.1.1.4 Ensure that logging for Azure Key Vault is 'Enabled' | AUDIT AND ACCOUNTABILITY |
| 7.1.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment | AUDIT AND ACCOUNTABILITY |
| 7.1.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment | AUDIT AND ACCOUNTABILITY |
| 7.1.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group | AUDIT AND ACCOUNTABILITY |
| 7.1.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group | AUDIT AND ACCOUNTABILITY |
| 7.1.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution | AUDIT AND ACCOUNTABILITY |
| 7.1.2.6 Ensure that Activity Log Alert exists for Delete Security Solution | AUDIT AND ACCOUNTABILITY |
| 7.1.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule | AUDIT AND ACCOUNTABILITY |
| 7.1.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule | AUDIT AND ACCOUNTABILITY |
| 7.1.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule | AUDIT AND ACCOUNTABILITY |
| 7.1.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule | AUDIT AND ACCOUNTABILITY |
| 7.1.2.11 Ensure that an Activity Log Alert exists for Service Health | AUDIT AND ACCOUNTABILITY |
| 7.1.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it | AUDIT AND ACCOUNTABILITY |
| 8.1 Ensure that RDP access from the Internet is evaluated and restricted | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.2 Ensure that SSH access from the Internet is evaluated and restricted | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.3 Ensure that UDP access from the Internet is evaluated and restricted | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
