| 2.1.1 Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet) | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.2 Ensure that network security groups are configured for Databricks subnets | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.4 Ensure that users and groups are synced from Microsoft Entra ID to Azure Databricks | ACCESS CONTROL |
| 2.1.5 Ensure that Unity Catalog is configured for Azure Databricks | ACCESS CONTROL |
| 2.1.6 Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens | ACCESS CONTROL |
| 2.1.7 Ensure that diagnostic log delivery is configured for Azure Databricks | AUDIT AND ACCOUNTABILITY |
| 2.1.9 Ensure 'No Public IP' is set to 'Enabled' | ACCESS CONTROL, MEDIA PROTECTION |
| 2.1.10 Ensure 'Allow Public Network Access' is set to 'Disabled' | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.1 Ensure that 'security defaults' is enabled in Microsoft Entra ID | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 5.1.2 Ensure that 'multifactor authentication' is 'enabled' for all users | IDENTIFICATION AND AUTHENTICATION |
| 5.1.3 Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled | IDENTIFICATION AND AUTHENTICATION |
| 5.3.1 Ensure that Azure admin accounts are not used for daily operations | ACCESS CONTROL |
| 5.3.2 Ensure that guest users are reviewed on a regular basis | ACCESS CONTROL |
| 5.3.3 Ensure that use of the 'User Access Administrator' role is restricted | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.3.4 Ensure that all 'privileged' role assignments are periodically reviewed | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.3.5 Ensure disabled user accounts do not have read, write, or owner permissions | ACCESS CONTROL |
| 5.3.6 Ensure 'Tenant Creator' role assignments are periodically reviewed | ACCESS CONTROL |
| 5.3.7 Ensure all non-privileged role assignments are periodically reviewed | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.4 Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.5 Ensure that 'Number of methods required to reset' is set to '2' | IDENTIFICATION AND AUTHENTICATION |
| 5.6 Ensure that account 'Lockout threshold' is less than or equal to '10' | ACCESS CONTROL |
| 5.7 Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' | ACCESS CONTROL |
| 5.8 Ensure that a 'Custom banned password list' is set to 'Enforce' | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 5.9 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' | ACCESS CONTROL |
| 5.10 Ensure that 'Notify users on password resets?' is set to 'Yes' | ACCESS CONTROL |
| 5.11 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | ACCESS CONTROL |
| 5.12 Ensure that 'User consent for applications' is set to 'Do not allow user consent' | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
| 5.14 Ensure that 'Users can register applications' is set to 'No' | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 5.15 Ensure that 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION |
| 5.17 Ensure that 'Restrict access to Microsoft Entra admin center' is set to 'Yes' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.22 Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' | IDENTIFICATION AND AUTHENTICATION |
| 5.23 Ensure that no custom subscription administrator roles exist | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.26 Ensure fewer than 5 users have global administrator assignment | ACCESS CONTROL |
| 5.27 Ensure there are between 2 and 3 subscription owners | ACCESS CONTROL |
| 6.1.1.1 Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs | AUDIT AND ACCOUNTABILITY |
| 6.1.1.2 Ensure Diagnostic Setting captures appropriate categories | AUDIT AND ACCOUNTABILITY |
| 6.1.1.4 Ensure that logging for Azure Key Vault is 'Enabled' | AUDIT AND ACCOUNTABILITY |
| 6.1.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment | AUDIT AND ACCOUNTABILITY |
| 6.1.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment | AUDIT AND ACCOUNTABILITY |
| 6.1.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group | AUDIT AND ACCOUNTABILITY |
| 6.1.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group | AUDIT AND ACCOUNTABILITY |
| 6.1.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution | AUDIT AND ACCOUNTABILITY |
| 6.1.2.6 Ensure that Activity Log Alert exists for Delete Security Solution | AUDIT AND ACCOUNTABILITY |
| 6.1.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule | AUDIT AND ACCOUNTABILITY |
| 6.1.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule | AUDIT AND ACCOUNTABILITY |
| 6.1.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule | AUDIT AND ACCOUNTABILITY |
| 6.1.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule | AUDIT AND ACCOUNTABILITY |
| 6.1.2.11 Ensure that an Activity Log Alert exists for Service Health | AUDIT AND ACCOUNTABILITY |
| 6.1.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it | AUDIT AND ACCOUNTABILITY |
| 7.1 Ensure that RDP access from the Internet is evaluated and restricted | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
