| 2.1.3 Ensure that traffic is encrypted between cluster worker nodes | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.8 Ensure critical data in Azure Databricks is encrypted with customer-managed keys (CMK) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.11 Ensure private endpoints are used to access Azure Databricks workspaces | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.1 Ensure only MFA enabled identities can access privileged Virtual Machine | IDENTIFICATION AND AUTHENTICATION |
| 5.2.1 Ensure that 'trusted locations' are defined | ACCESS CONTROL, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.2.2 Ensure that an exclusionary geographic Conditional Access policy is considered | ACCESS CONTROL |
| 5.2.3 Ensure that an exclusionary device code flow policy is considered | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 5.2.4 Ensure that a multifactor authentication policy exists for all users | IDENTIFICATION AND AUTHENTICATION |
| 5.2.5 Ensure that multifactor authentication is required for risky sign-ins | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 5.2.6 Ensure that multifactor authentication is required for Windows Azure Service Management API | IDENTIFICATION AND AUTHENTICATION |
| 5.2.7 Ensure that multifactor authentication is required to access Microsoft Admin Portals | IDENTIFICATION AND AUTHENTICATION |
| 5.2.8 Ensure a Token Protection Conditional Access policy is considered | IDENTIFICATION AND AUTHENTICATION |
| 5.13 Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions' | CONFIGURATION MANAGEMENT |
| 5.16 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles [...]' or 'No one [..]' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION |
| 5.18 Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.20 Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.24 Ensure that a custom role is assigned permissions for administering resource locks | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION |
| 5.25 Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one' | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 5.28 Ensure passwordless authentication methods are considered | IDENTIFICATION AND AUTHENTICATION |
| 6.1.1.3 Ensure the storage account containing the container with activity logs is encrypted with customer-managed key (CMK) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.1.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics | SYSTEM AND INFORMATION INTEGRITY |
| 6.1.1.6 Ensure that logging for Azure AppService 'HTTP logs' is enabled | AUDIT AND ACCOUNTABILITY |
| 6.1.1.7 Ensure that virtual network flow logs are captured and sent to Log Analytics | SYSTEM AND INFORMATION INTEGRITY |
| 6.1.1.8 Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination | AUDIT AND ACCOUNTABILITY |
| 6.1.1.9 Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination | AUDIT AND ACCOUNTABILITY |
| 6.1.1.10 Ensure that Intune logs are captured and sent to Log Analytics | AUDIT AND ACCOUNTABILITY |
| 6.1.3.1 Ensure Application Insights are Configured | AUDIT AND ACCOUNTABILITY |
| 6.1.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) | SYSTEM AND SERVICES ACQUISITION |
| 6.2 Ensure that Resource Locks are set for Mission-Critical Azure Resources | ACCESS CONTROL, MEDIA PROTECTION |
| 7.5 Ensure that network security group flow log retention days is set to greater than or equal to 90 | AUDIT AND ACCOUNTABILITY |
| 7.6 Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.8 Ensure that virtual network flow log retention days is set to greater than or equal to 90 | AUDIT AND ACCOUNTABILITY |
| 7.9 Ensure 'Authentication type' is set to 'Azure Active Directory' only for Azure VPN Gateway point-to-site configuration | ACCESS CONTROL |
| 7.10 Ensure Azure Web Application Firewall (WAF) is enabled on Azure Application Gateway | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.14 Ensure request body inspection is enabled in Azure Web Application Firewall policy on Azure Application Gateway | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.15 Ensure bot protection is enabled in Azure Web Application Firewall policy on Azure Application Gateway | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.16 Ensure Azure Network Security Perimeter is used to secure Azure platform-as-a-service resources | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.1.1.1 Ensure Microsoft Defender CSPM is set to 'On' | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 8.1.2.1 Ensure Microsoft Defender for APIs is set to 'On' | SECURITY ASSESSMENT AND AUTHORIZATION, RISK ASSESSMENT |
| 8.1.3.1 Ensure that Defender for Servers is set to 'On' | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 8.1.3.2 Ensure that 'Vulnerability assessment for machines' component status is set to 'On' | RISK ASSESSMENT |
| 8.1.3.3 Ensure that 'Endpoint protection' component status is set to 'On' | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 8.1.3.4 Ensure that 'Agentless scanning for machines' component status is set to 'On' | RISK ASSESSMENT |
| 8.1.3.5 Ensure that 'File Integrity Monitoring' component status is set to 'On' | RISK ASSESSMENT |
| 8.1.4.1 Ensure That Microsoft Defender for Containers Is Set To 'On' | RISK ASSESSMENT |
| 8.1.5.1 Ensure That Microsoft Defender for Storage Is Set To 'On' | RISK ASSESSMENT |
| 8.1.5.2 Ensure Advanced Threat Protection Alerts for Storage Accounts Are Monitored | AUDIT AND ACCOUNTABILITY |
| 8.1.6.1 Ensure That Microsoft Defender for App Services Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION |
