| 2.1.1.2.1 Ensure Critical Data is Encrypted with Customer Managed Keys (CMK) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.2.2.1 Ensure Private Endpoints are used to access {service} | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.3 Ensure that traffic is encrypted between cluster worker nodes | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.8 Ensure that data at rest and in transit is encrypted in Azure Databricks using customer managed keys (CMK) | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.1 Ensure only MFA enabled identities can access privileged Virtual Machine | IDENTIFICATION AND AUTHENTICATION |
| 6.2.1 Ensure that 'trusted locations' are defined | ACCESS CONTROL, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.2.2 Ensure that an exclusionary geographic Conditional Access policy is considered | ACCESS CONTROL |
| 6.2.3 Ensure that an exclusionary device code flow policy is considered | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 6.2.4 Ensure that a multifactor authentication policy exists for all users | IDENTIFICATION AND AUTHENTICATION |
| 6.2.5 Ensure that multifactor authentication is required for risky sign-ins | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 6.2.6 Ensure that multifactor authentication is required for Windows Azure Service Management API | IDENTIFICATION AND AUTHENTICATION |
| 6.2.7 Ensure that multifactor authentication is required to access Microsoft Admin Portals | IDENTIFICATION AND AUTHENTICATION |
| 6.13 Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions' | CONFIGURATION MANAGEMENT |
| 6.16 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION |
| 6.18 Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 6.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 6.20 Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 6.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 6.24 Ensure that a custom role is assigned permissions for administering resource locks | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION |
| 6.25 Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one' | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 7.1.1.3 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.1.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics | SYSTEM AND INFORMATION INTEGRITY |
| 7.1.1.6 Ensure that logging for Azure AppService 'HTTP logs' is enabled | AUDIT AND ACCOUNTABILITY |
| 7.1.1.7 Ensure that virtual network flow logs are captured and sent to Log Analytics | SYSTEM AND INFORMATION INTEGRITY |
| 7.1.1.8 Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination | AUDIT AND ACCOUNTABILITY |
| 7.1.1.9 Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination | AUDIT AND ACCOUNTABILITY |
| 7.1.1.10 Ensure that Intune logs are captured and sent to Log Analytics | AUDIT AND ACCOUNTABILITY |
| 7.1.3.1 Ensure Application Insights are Configured | AUDIT AND ACCOUNTABILITY |
| 7.1.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) | SYSTEM AND SERVICES ACQUISITION |
| 7.2 Ensure that Resource Locks are set for Mission-Critical Azure Resources | ACCESS CONTROL, MEDIA PROTECTION |
| 8.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | AUDIT AND ACCOUNTABILITY |
| 8.6 Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.8 Ensure that virtual network flow log retention days is set to greater than or equal to 90 | AUDIT AND ACCOUNTABILITY |
| 9.1.3.1 Ensure that Defender for Servers is set to 'On' | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 9.1.3.2 Ensure that 'Vulnerability assessment for machines' component status is set to 'On' | RISK ASSESSMENT |
| 9.1.3.3 Ensure that 'Endpoint protection' component status is set to 'On' | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 9.1.3.4 Ensure that 'Agentless scanning for machines' component status is set to 'On' | RISK ASSESSMENT |
| 9.1.3.5 Ensure that 'File Integrity Monitoring' component status is set to 'On' | RISK ASSESSMENT |
| 9.1.4.1 Ensure That Microsoft Defender for Containers Is Set To 'On' | RISK ASSESSMENT |
| 9.1.5.1 Ensure That Microsoft Defender for Storage Is Set To 'On' | RISK ASSESSMENT |
| 9.1.6.1 Ensure That Microsoft Defender for App Services Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION |
| 9.1.7.1 Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION |
| 9.1.7.2 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION |
| 9.1.7.3 Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION |
| 9.1.7.4 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION |
| 9.1.8.1 Ensure That Microsoft Defender for Key Vault Is Set To 'On' | RISK ASSESSMENT |
| 9.1.9.1 Ensure That Microsoft Defender for Resource Manager Is Set To 'On' | ACCESS CONTROL, RISK ASSESSMENT |
| 9.1.16 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled | RISK ASSESSMENT |
| 9.1.17 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
